Information processing system

ABSTRACT

According to an embodiment, when a storage status of a first storage unit is recognized as a protected state, a control unit writes data to a second storage unit. When a read target address is recorded in a data migration log area, the control unit reads data from the second storage unit. When the read target address is not recorded in the data migration log area, the control unit reads data from the first storage unit.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. application Ser. No.15/440,588, filed Feb. 23, 2017, which is a continuation of U.S.application Ser. No. 14/850,833, filed Sep. 10, 2015, which is acontinuation of PCT International Application Serial No.PCT/JP2013/073859 filed on Aug. 29, 2013 which designates the UnitedStates and claims the benefit of priority from Japanese PatentApplication No. 2013-055548 filed on Mar. 18, 2013; the entire contentsof each of the above are incorporated herein by reference.

FIELD

Embodiments described herein relate to an information processing systemfor migrating data of a first storage unit to a second storage unit.

BACKGROUND

When a secondary storage device for a personal computer or a server isconfigured using a flash memory, in some case, there are a defectiveblock that cannot be used as a storage area or a defective area thatcannot be read because, for example, errors often occur. When the numberof defective blocks or the number of defective areas exceeds an upperlimit value, because a new defective block or defective area cannot beregistered, write of write-requested data in a flash memory cannot beguaranteed. Therefore, when the number of defective blocks or the numberof defective areas exceeds the upper limit value, even if there is afree area in the flash memory, write of data is suddenly disabled.

Therefore, there is a method of monitoring deterioration of a storagedevice and limiting write of data from an information processing deviceto the storage device before the life end of the storage device. Withthis method, it is possible to back up user data in another storagedevice and migrate the user data before the life end of the storagedevice and prevent a data loss due to the life end of the storagedevice.

However, this method is complicated because work for backing up the userdata in the other storage device has to be performed. Further, becausedata write in the original storage device for backup is limited by theinformation processing device, it is likely that the operation ofvarious application programs loaded in the information processing deviceis limited and processing speed of the application programs falls.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a functional configuration example of aninformation processing system in a first embodiment;

FIG. 2 is a block diagram of a functional configuration example of theinformation processing system in storing a control program in a SSD;

FIG. 3 is a block diagram of a functional configuration example of theinformation processing system in storing the control program in anotherexternal storage device;

FIG. 4 is a block diagram of a functional configuration example of theinformation processing system in installing the control program from aWEB;

FIG. 5 is block diagram of a functional configuration example of theinformation processing system in installing the control program from anoptical drive;

FIG. 6 is a block diagram of a functional configuration example of theinformation processing system in installing the control program from aUSB memory;

FIG. 7 is a block diagram of a hierarchical functional configurationexample of the information processing device;

FIG. 8 is a diagram of an external configuration of the informationprocessing system;

FIG. 9 is a diagram of another external configuration of the informationprocessing system;

FIG. 10 is a block diagram of a functional configuration example of aNAND memory chip;

FIG. 11 is a circuit diagram of a configuration example of one planeincluded in the NAND memory chip;

FIG. 12 is a diagram of a threshold voltage distribution in a four-leveldata storage method;

FIG. 13 is a block diagram of a functional configuration example of theSSD;

FIG. 14 is a diagram of management information of the SSD;

FIG. 15 is a diagram of a relation between an LBA and a management unitof the SSD;

FIG. 16 is a flowchart for explaining a procedure for specifying aphysical address from the LBA;

FIG. 17 is a flowchart for explaining an example of a read operationfrom the SSD;

FIG. 18 is a flowchart for explaining an example of a read operationfrom the SSD;

FIG. 19 is a flowchart for explaining an example of a read operationfrom the SSD;

FIG. 20A and FIG. 20B are flowchart for explaining an example of a readoperation from the SSD;

FIG. 21 is a flowchart for explaining an operation procedure inperforming NAND GC;

FIG. 22 is a flowchart for explaining an operation example of the SSDperformed when a delete notification is received;

FIG. 23 is a flowchart for explaining an operation example of the SSDperformed when an error occurs;

FIG. 24 is a flowchart for explaining statistical informationacquisition processing;

FIG. 25 is a diagram of a bad logical sector table;

FIG. 26 is a diagram of a bad cluster table;

FIG. 27A and FIG. 27B are diagram of SMART information serving as anexample of statistical information;

FIG. 28 is a graph of a relation between a Raw Value of the statisticalinformation and a reject ratio of the SSD;

FIG. 29 is a flowchart for explaining an error command response handlingprocess;

FIG. 30 is a flowchart for explaining another error command responsehandling process;

FIG. 31 is a diagram of a configuration example of data managed by aninformation processing device before life end processing is performed;

FIG. 32 is a diagram of internal data of a Boot Loader;

FIG. 33 is a diagram of a configuration example of metadata;

FIG. 34 is a flowchart of a procedure performed when an applicationprogram transmits an access request to a logical drive to an OS;

FIG. 35 is a flowchart for explaining a processing procedure of acontrol program performed when, for example, the information processingdevice starts;

FIG. 36 is a state transition chart for explaining a life cycle of astorage unit;

FIG. 37 is a state transition chart for explaining a life cycle of thestorage unit;

FIG. 38 is a diagram of a configuration example of data managed by theinformation processing device in a state in which a data migrationsource storage unit and a data migration destination storage unit areconnected;

FIG. 39 is a state transition chart of a life cycle of the storage unit;

FIG. 40 is a flowchart for explaining processing performed by thecontrol program in the life end processing;

FIG. 41 is a diagram of a logical drive status table;

FIG. 42 is a flowchart for explaining a processing procedure of the OSperformed when a write request is transmitted from the applicationprogram to the OS;

FIG. 43 is a flowchart for explaining a processing procedure of the OSperformed when a delete request is transmitted from the applicationprogram to the OS;

FIG. 44 is a flowchart for explaining a processing procedure of the OSperformed when a read request is transmitted from the applicationprogram to the OS;

FIG. 45 is a flowchart for explaining a processing procedure ofbackground backup;

FIG. 46 is a flowchart for explaining an operation procedure of thecontrol program performed when data migration is completed;

FIG. 47 is a conceptual diagram of read from a logical drive in a datamigrating state;

FIG. 48 is a conceptual diagram of write in the logical drive in thedata migrating state;

FIG. 49 is a block diagram of a functional configuration example of aninformation processing system in a second embodiment;

FIG. 50 is a diagram of a data migration log;

FIG. 51 is a diagram of a write example of a log in the data migrationlog;

FIG. 52 is a flowchart for explaining life end processing;

FIG. 53A and FIG. 53B are flowchart for explaining an operationprocedure of read from a logical drive;

FIG. 54 is a flowchart for explaining a processing procedure of an OSperformed when an LBA data delete request is transmitted from anapplication program to the OS;

FIG. 55 is a flowchart for explaining an operation procedure of write inthe logical drive;

FIG. 56 is a flowchart for explaining a monitoring procedure of a datamigrating state performed using the data migration log;

FIG. 57 is a diagram of transition of states of the logical drive thattakes places when a storage unit has reached the life end;

FIG. 58 is a block diagram of a functional configuration example of aninformation processing system in a third embodiment;

FIG. 59 is a diagram for explaining a transformation method for an arrayLBA (ALBA) and a storage unit LBA (SLBA) in a normal state;

FIG. 60 is a diagram for explaining a transformation method for thearray LBA (ALBA) and the storage unit LBA (SLBA) immediately aftermigration state transition;

FIG. 61 is a diagram of a data migration log;

FIG. 62 is a flowchart for explaining life end processing;

FIG. 63 is a flowchart for explaining a processing procedure of acontrol unit performed when, for example, a RAID controller starts;

FIG. 64 is a flowchart for explaining a processing procedure of the RAIDcontroller in executing a read request;

FIG. 65 is a flowchart for explaining another processing procedure ofthe RAID controller in executing the read request;

FIG. 66 is a flowchart for explaining a processing procedure of the RAIDcontroller in executing a write request;

FIG. 67 is a diagram of a specific example of write processing;

FIG. 68 is a flowchart for explaining a monitoring procedure for a datamigrating state performed using the data migration log;

FIG. 69 is a diagram of transition of statuses of storage units;

FIG. 70 is a diagram of an example in which a data migrating state ofone storage unit and a failure of another storage unit simultaneouslyoccur;

FIG. 71 is a diagram of an example in which a data migrating state oftwo storage units and a failure of another storage unit simultaneouslyoccur;

FIG. 72 is a diagram of an example in which, in a data migrating stateof one storage unit, an uncorrectable ECC error occurs in anotherstorage unit;

FIG. 73 is a block diagram of a functional configuration example of aninformation processing system in a fourth embodiment;

FIG. 74 is a block diagram of another functional configuration exampleof the information processing system in the fourth embodiment;

FIG. 75 is a diagram of a status table;

FIG. 76 is a block diagram of a functional configuration example of aninformation processing system in a fifth embodiment;

FIG. 77 is a block diagram of a functional configuration example of aninformation processing system in a sixth embodiment;

FIG. 78 is a block diagram of another functional configuration exampleof the information processing system in the sixth embodiment;

FIG. 79 is a flowchart for explaining transition operation of a controlunit from a normal state to a low reliability state;

FIG. 80 is a flowchart for explaining an example of a processingprocedure performed when the control unit receives a storage unitinformation request for a storage unit from a CPU;

FIG. 81 is a flowchart for explaining an example of another processingprocedure performed when the control unit receives the storage unitinformation request for the storage unit from the CPU;

FIG. 82 is a diagram of a drive display screen example in an informationprocessing device;

FIG. 83 is a diagram of another drive display screen example in theinformation processing device;

FIG. 84 is a diagram of another display screen example in theinformation processing device; and

FIG. 85 is a block diagram of another functional configuration exampleof the information processing system in the sixth embodiment.

DETAILED DESCRIPTION

According to an embodiment, an information processing system includes afirst storage unit including a readable and writable first memory, asecond storage unit including a readable and writable second memory, aninformation processing device connectable to the first storage unit andthe second storage unit, and a data migration log area. The informationprocessing device includes a control unit. The control unit executesfirst processing for determining a storage status of the first storageunit based on reliability information acquired from the first storageunit. The control unit executes second processing for, when the storagestatus of the first storage unit is recognized as a protected state bythe first processing, executing write on only the second storage unit ofthe first and second storage units, when a read target address isrecorded in the data migration log area, executing read data from thesecond storage unit and, when the read target address is not recorded inthe data migration log area, executing read data from the first storageunit. The control unit executes third processing for recording anaddress of data written in the second storage unit in the data migrationlog area according to the write by the second processing. The controlunit executes forth processing for, when the storage status of the firststorage unit is not recognized as the protected state by the firstprocessing, executing read data from the first storage unit withoutreading from the data migration log area.

Information processing system according to embodiments are explained indetail below with reference to the accompanying drawings. The inventionis not limited by the embodiments.

First Embodiment Configuration of a System

The configuration of a computer system, which is an example of aninformation processing system, in a first embodiment is shown in FIG. 1.An information processing system 1 includes an information processingdevice 111, one or a plurality of storage units, and an interface 19configured to connect the information processing device 111 and thestorage units. In this embodiment, a SSD (Solid State Drive), which is anonvolatile storage device, is used as the storage unit. However, thestorage unit can be other storage devices such as a hard disk drive(HDD), a hybrid drive, a SD card, a USB memory, a NAND flash memorychip, a magnetic tape, an embedded Multi Media Card (eMMC), and astorage device and a memory node described in United States PatentApplication Publication No. 2012/0117354. A plurality of storage areasincluded in one storage device can be respectively used as separatestorage units. In the following explanation in this embodiment, a SATA(Serial Advanced Technology Attachment) interface is used as theinterface 19. However, a PCI Express (Peripheral Component InterconnectExpress, PCIe), a USB (Universal Serial Bus), a SAS (Serial AttachedSCSI), a Thunderbolt (registered trademark), an Ethernet (registeredtrademark), a Fibre channel, and the like can be used. A CPU (a controlcircuit) 5 is a central processing unit in the information processingdevice 111. Various calculations and controls in the informationprocessing device 111 are performed by the CPU 5. The CPU 5 and a chipset 7 are connected by an interface such as a DMI (Direct MediaInterface). The CPU 5 performs control of a storage unit 2 and anoptical drive 10 such as a DVD drive via the chip set 7. The CPU 5performs control of a main memory 6. As the main memory 6, for example,a DRAM (Dynamic Random Access Memory), a MRAM (Magnetoresistive RandomAccess Memory), a ReRAIVI (Resistance Random Access Memory), and a FeRAM(Ferroelectric Random Access Memory) can be adopted.

A user performs control of the information processing device 111 throughan input device such as a keyboard 14 or a mouse 15. A signal from thekeyboard 14 or the mouse 15 is processed by the CPU 5 via, for example,a USB (Universal Serial Bus) controller 13 and the chip set 7. The CPU 5sends image data and text data to a display (a display device) 9 via adisplay controller 8. The user can visually recognize, via the display9, the image data and the text data sent from the information processingdevice 111.

The CPU 5 is a processor provided to control the operation of theinformation processing device 111. The CPU 5 executes, for example, anoperating system (OS) 100 loaded from the storage unit 2 to the mainmemory 6. Further, when the optical drive 10 enables execution of atleast one of read processing and write processing on an inserted opticaldisk, the CPU 5 executes the processing. The CPU 5 executes UEFI(Unified Extensible Firmware Interface) firmware, a system BIOS (BasicInput/Output System), and the like stored in a ROM 11. The UEFI firmwareand the system BIOS are programs for hardware control in the informationprocessing device 111. Besides, the CPU 5 controls a network controller12 via the chip set 7. As the network controller 12, there are, forexample, a LAN (Local Area Network) controller and a wireless LANcontroller.

The main memory 6 temporarily stores a program and data and functions asa work memory of the CPU 5. The main memory 6 includes a storage area 6Afor storing the OS 100 and a storage area 6B for storing a controlprogram 200. As generally known as, for example, Windows (registeredtrademark), the OS 100 is a program for managing the entire informationprocessing device 111, for example, managing an input and output deviceof the information processing device 111, managing a storage unit and amemory, and performing control for enabling software to use hardware anda storage device of the information processing device 111. In an exampleexplained in this embodiment, the control program 200 is a part of theOS 100. However, the control program 200 and the OS 100 can beindependent programs. In this embodiment, the control program 200 isexplained as a program read to the main memory 6 via the interface 19and executed. However, the control program 200 can be stored in the ROM11 and operate as a part of the UEFI firmware or the system BIOS. Thecontrol program 200 can be implemented in the information processingdevice 111 as hardware. In the main memory 6, metadata 300 and a logicaldrive status table 450 are stored.

The display controller 8 is a video reproduction controller configuredto control the display 9 of the information processing device 111. Thechip set 7 is a bridge device connected to a local bus of the CPU 5. Thechip set 7 controls the storage unit 2 and a storage unit 3, which arestorage devices configured to store various kinds of software and data,via the interface 19. The storage unit 2 and the storage unit 3 can beconnected to the CPU 5 through the chip set 7 or can be directlyconnected to the CPU 5.

The information processing device 111 accesses the storage unit 2 andthe storage unit 3 in a unit of a logical sector. A write command (awrite request), a read command (a read request), a flash command, andthe like are input to the storage unit 2 and the storage unit 3 via theinterface 19.

The chip set 7 also has a function for subjecting the ROM 11, theoptical drive 10, the network controller 12, and the USB controller 13to access control. The keyboard 14 and the mouse 15 are connected to theUSB controller 13.

Form of a Control Program

In this embodiment, for example, as shown in FIG. 2, when theinformation processing device 111 is off, the control program 200 isstored in an area 16B of a NAND flash memory (a NAND memory) 16 of thestorage unit 2. As shown in FIG. 2, when the information processingdevice 111 starts or a program starts, the control program 200 is loadedfrom the area 16B of the NAND memory 16 to an area 6B on the main memory6. On the other hand, when a plurality of storage units are connected tothe information processing device 111, for example, when a storage unit20 separate from the storage unit 2 and the storage unit 3 is connectedto the information processing device 111, as shown in FIG. 3, thecontrol program 200 can be stored in an area 20B of the storage unit 20.Then, when the information processing device 111 starts or the programstarts, the control program 200 is loaded from the area 20B to the area6B on the main memory 6. In particular, when the storage unit 20 is usedas a system drive configured to store an OS and the storage unit 2 isused as a data drive configured to store user data such as a document,still image data, and moving image data, it is desirable to store thecontrol program 200 in the storage unit 20, which functions as a systemdrive, in terms of clearly distinguishing roles of the storage unit 2and the storage unit 20. For example, the storage unit 20 functioning asthe system drive is used as a storage drive configured to mainly storean OS and an application program and the storage unit 2 functioning asthe data drive is used as a storage drive configured to store user data.

In terms of saving labor for setup of the control program 200 by theuser, for example, as shown in FIGS. 2 and 3, it is desirable that theinformation processing system 1 is shipped from a manufacturer,displayed in a shop, and delivered to the user in a state in which thecontrol program 200 is stored in the storage unit 2 or the storage unit20. On the other hand, in terms of enabling the user to select proprietyof installation of the control program 200 and in terms of enabling alatest control program to be provided to the user, it is desirable thatthe control program 200 can be stored in the storage unit 2 or thestorage unit 20 by download from a WEB or installation from an externalstorage medium such as a DVD-ROM or a USB memory.

FIG. 4 is an example of the download from the WEB. The control program200 is stored in an area 22B of a storage medium 22 in a WEB server 21.The control program 200 is downloaded (or installed) in the area 16B onthe NAND memory 16 of the storage unit through, for example, the networkcontroller 12 via a network such as the Internet, a local network, or awireless LAN. As the storage medium 22, for example, a SSD, a HDD, ahybrid drive, or a magnetic tape is used. In the case of FIG. 3, thecontrol program 200 is downloaded to or installed in the area 20B on thestorage unit 20.

FIG. 5 is an example of the installation from the optical medium. Thecontrol program 200 is stored in an optical medium 23 such as a DVD-ROM,a CD-ROM, a DVD-RW, or a Blu-ray (registered trademark) disc. When theoptical medium 23 is set on the optical drive 10, the control program200 is installed in the area 16B on the NAND memory 16 (or the area 20B)of the storage unit 2 via the optical drive 10.

FIG. 6 is an example of the installation from the USB memory. Thecontrol program 200 is stored in an area 24B of a USB memory 24. Whenthe USB memory 24 is connected to the USB controller 13, the controlprogram 200 is installed in the area 16B on the NAND memory 16 (or thearea 20B) of the storage unit 2 via the USB controller 13. Naturally,other external memories such as a SD card can be used instead of the USBmemory 24. In terms of easiness of acquisition by the user, it isdesirable that the optical medium 23 and the USB memory 24 are packagedtogether with the information processing system 1 or the storage unit 2as accessories when the information processing system 1 or the storageunit 2 is shipped. On the other hand, the optical medium 23 and the USBmemory 24 can be independently sold as software commodities or can beattached as supplements of a magazine or a book.

Hierarchical Structure of Software

A hierarchical structure in a software level of the informationprocessing device 111 is shown in FIG. 7. Usually, an applicationprogram 400 loaded on the main memory 6 does not directly communicatewith storage units such as the storage unit 2 and the storage unit 3 andcommunicates with the storage units through the OS 100 loaded to themain memory 6. The OS 100 communicates with the storage units throughthe UEFI firmware or the system BIOS. Before life end processing(processing at the end of the storage unit's life or Lifespan-reachedprocessing) explained below, the OS 100 recognizes the storage unit 2 asa logical drive 4 (see FIG. 38) functioning as a logical unit andnotifies the application program 400 of the logical drive 4 as anaccessible storage drive. When the application program 400 needs totransmit a command such as a read request or a write request to thelogical drive 4, the application program 400 transmits a request foraccess to the logical drive in a file unit to the OS 100. The OS 100refers to the metadata 300 stored in the main memory 6, specifies alogical address (LBA: Logical block Address) of the storage unit 2corresponding to the access-requested file, and transmits the command,the LBA, and data to the storage unit 2 via the interface 19. Uponreceiving a response from the storage unit 2, the OS 100 transmits aresponse to the application program 400. When the logical drive 4changes to a migration state explained below, the OS 100 recognizes thestorage unit 2 and the storage unit 3 as the logical drive 4.

Configuration of the Information Processing Device

A configuration example of the information processing system 1 isexplained. FIG. 8 is a schematic diagram of a desktop computerfunctioning as the information processing system 1. The desktop computerincludes a computer main body 31, the display 9, the keyboard 14, andthe mouse 15. The computer main body 31 includes a motherboard 30mounted with main hardware, the storage unit 2, and a power supplydevice 32. The storage unit 2 is physically connected to the motherboard30 via a SATA cable and electrically connected to, via the chip set 7mounted on the motherboard 30, the CPU 5 also mounted on themotherboard. The power supply device 32 generates various kinds ofelectric power used in the desktop computer and supplies the electricpower to the motherboard 30, the storage unit 2, and the like via apower supply cable. The storage unit 3 can be physically connected tothe motherboard 30 via the SATA cable. Consequently, the storage unit 3is electrically connected to, via the chip set 7 mounted on themotherboard 30, the CPU 5 also mounted on the motherboard.

FIG. 9 is a schematic diagram of a portable computer functioning as theinformation processing system 1. The portable computer includes acomputer main body 34 and a display unit 35. In the display unit 35, adisplay device 9 configured by, for example, an LCD (Liquid CrystalDisplay) is incorporated. The display unit 35 is attached to thecomputer main body 34 to be capable of pivoting between an open positionwhere the upper surface of the computer main body 34 is exposed and aclosed position where the upper surface of the computer main body 34 iscovered. The computer main body 34 includes a thin box-like housing. Apower switch 36, the keyboard 14, a touch pad 33, and the like arearranged on the upper surface of the computer main body 34. As in thedesktop computer, the computer main body 34 includes the storage unit 2,a motherboard, and a power supply device.

The information processing system 1 applied with the present inventioncan be, besides the above, an image pickup apparatus such as a stillcamera or a video camera or can be a tablet computer, a smart phone, agame apparatus, a car navigation system, a printer apparatus, a scannerapparatus, a server system, or the like.

Configuration of the Storage Device (1)

The configuration of the storage unit 2 is explained. In the explanationin this embodiment, a main component of the storage unit 2 is the NANDmemory 16. In the explanation in this embodiment, the storage unit 2 andthe storage unit 3 have the same configuration. On the other hand, thepresent invention can also be applied when the storage unit 3 has aconfiguration different from the configuration of the storage unit 2.For example, the storage unit 2 is a SSD including the NAND memory 16 asa main component and the storage unit 3 is a hard disk drive including amagnetic disk as a main component. It is desirable that the storage unit2 and the storage unit 3 have stored statistical information 65 therein.However, the present invention can also be applied when the storage unit2 has stored the statistical information 65 therein and the storage unit3 does not have stored the statistical information 65 therein. It isdesirable that the storage capacity of the storage unit 3, which is adata migration destination, is equal to or larger than the storagecapacity of the storage unit 2, which is a data migration source.However, the present invention can also be applied when the storagecapacity of the storage unit 3 is smaller than the storage capacity ofthe storage unit 2.

Configuration of the NAND Memory

In FIG. 10, an internal configuration example of a NAND memory chip 80included in the NAND memory 16 used as components of the storage unit 2and the storage unit 3 in this embodiment is shown. The NAND memory 16includes one or a plurality of NAND memory chips 80.

The NAND memory chip 80 includes a memory cell array in which aplurality of memory cells are arrayed in a matrix shape. A memory celltransistor included in the memory cell array is configured by a MOSFET(Metal Oxide Semiconductor Field Effect Transistor) having a stackedgate structure formed on a semiconductor substrate. The stacked gatestructure includes a charge storage layer (a floating gate electrode)formed on the semiconductor substrate via a gate insulating film and acontrol gate electrode formed on the floating gate electrode via aninter-gate insulating film. A threshold voltage of the memory celltransistor changes according to the number of electrons accumulated inthe floating gate electrode. The memory cell transistor stores dataaccording to a difference in the threshold voltage.

In the explanation in this embodiment, the respective memory cells adopta write system of a four-level store method for 2 bit/cell for writingdata using an upper page and a lower page. However, the essence of thepresent invention is the same when the memory cells adopts a writesystem of a two-level store method of 1 bit/cell for writing data usinga single page, a write system of an eight-level store method for 3bit/cell for writing data using an upper page, a middle page, and alower page, or a write system of a write system of a multi-level storemethod for 4 bit/cell or more. The memory cell transistor is not limitedto the structure including the floating gate electrode and can be astructure such as a MONOS (Metal-Oxide-Nitride-Oxide-Silicon) type thatcan adjust a threshold voltage by trapping electrons on a nitrideinterface functioning as a charge storage layer. Similarly, the memorycell transistor of the MONOS type can be configured to store one bit orcan be configured to store a multi-level. The memory cell transistor canbe, as a nonvolatile storage medium, a semiconductor storage medium inwhich memory cells are three-dimensionally arranged as described in U.S.Pat. No. 8,189,391, United States Patent Application Publication No.2010/0207195, and United States Patent Application Publication No.2010/0254191.

As shown in FIG. 10, the NAND memory chip 80 includes a memory cellarray 82 configured by arranging memory cells for storing data in amatrix shape. The memory cell array 82 includes a plurality of bitlines, a plurality of word lines, and a common source line. Electricallydata-rewritable memory cells are arranged in a matrix shape atintersections of the bit lines and the word lines. A bit line controlcircuit 83 for controlling the bit lines and a word line control circuit85 for controlling the word lines are connected to the memory cell array82. That is, the bit line control circuit 83 reads data of the memorycells in the memory cell array 82 via the bit lines and applies a writecontrol voltage to the memory cells in the memory cell array 82 via thebit lines and writes data in the memory cells.

A column decoder 84, a data input/output buffer 89, and a datainput/output terminal 88 are connected to the bit line control circuit83. The data of the memory cells read from the memory cell array 82 isoutput to the outside from the data input/output terminal 88 via the bitline control circuit 83 and the data input/output buffer 89. Write datainput to the data input/output terminal 88 from the outside is input tothe bit line control circuit 83 by the column decoder 84 via the datainput/output buffer 89 and written in designated memory cells.

The memory cell array 82, the bit line control circuit 83, the columndecoder 84, the data input/output buffer 89, and the word line controlcircuit 85 are connected to a control circuit 86. The control circuit 86generates, according to a control signal input to the control signalinput terminal 87, control signals and control voltages for controllingthe memory cell array 82, the bit line control circuit 83, the columndecoder 84, the data input/output buffer 89, and the word line controlcircuit 85. A circuit section other than the memory cell array 82 in theNAND memory chip 80 is referred to as NAND controller (NANDC) 81.

FIG. 11 shows the configuration of the memory cell array 82 shown inFIG. 10. The memory cell array 82 is a NAND cell type memory cell arrayand is configured to include a plurality of NAND cells. One NAND cellincludes a memory string MS formed by memory cells connected in seriesand selection gates S1 and S2 connected to both ends of the memorystring MS. The selection gate S1 is connected to a bit line BL and theselection gate S2 is connected to a source line SRC. Control gates ofmemory cells MC arranged in the same row are connected in common to wordlines WL0 to WLm−1. First selection gates S1 are connected in common toa select line SGD and second selection gates S2 are connected in commonto a select line SGS.

The memory cell array 82 includes one or a plurality of planes. Theplane includes a plurality of blocks. Each of the blocks includes aplurality of NAND cells. Data is erased in a unit of the block.

A plurality of memory cells connected to one word line configure onephysical sector. Data is written and read for each physical sector. Thephysical sector is unrelated to a logical sector of the LBA explainedbelow. In the one physical sector, for example, data equivalent to twophysical pages (two pages) is stored in the case of the 2 bit/cell writesystem (four-level). On the other hand, in the case of the 1 bit/cellwrite system (two-level), for example, data equivalent to one physicalpage (one page) is stored in the one physical sector. In the case of the3 bit/cell write system (eight-level), for example, data equivalent tothree physical pages (three pages) is stored in the one physical sector.

During a read operation, a program verify operation, and a programoperation, one word line is selected and one physical sector is selectedaccording to a physical address such as a Row Address received from aSSDC 41 explained below. Switching of a page in the physical sector isperformed according to a physical address. In this embodiment, the NANDmemory 16 adopts the 2 bit/cell write system, the SSDC 41 handles thephysical sector assuming that two pages, i.e., an upper page and a lowerpage, are allocated to the physical sector as physical pages. Physicaladdresses are allocated to all the pages.

The four-level NAND memory of 2 bit/cell is configured such that athreshold voltage in one memory cell could have four kinds ofdistributions. FIG. 12 shows a relation between 2-bit four-level data(data “11”, “01”, “10”, and “00”) stored in memory cells of a four-levelNAND cell type flash memory and a threshold voltage distribution of thememory cells. In FIG. 12, VA1 represents a voltage applied to a selectedword line when two data are read concerning a physical sector, a lowerpage of which is already written and an upper page of which is notwritten yet. VA1V represents a verify voltage applied to check whetherwrite is completed when write in A1 is performed.

VA2, VB2, and VC2 represent voltages applied to a selected word linewhen four data are read concerning a physical sector, a lower page andan upper page of which are already written. VA2V, VB2V, and VC2Vrepresent, when write in threshold voltage distributions is performed,verify voltages applied to check whether the write is completed. Vread1and Vread2 represent, when read of data is performed, read voltagesapplied to an unselected memory call in the NAND cells and conductingthe unselected memory cell irrespective of retained data of theunselected memory cell. Further, Vev1 and Vev2 represent, when data ofthe memory cells are erased, erasing verify voltages applied to thememory cells to check whether the erasing is completed. Vev1 and Vev2have negative values. The magnitude of Vev1 and Vev2 are determinedtaking into account the influence of interference of adjacent memorycells. Magnitude relations of the voltages are as follows:

-   -   Vev1<VA1<VA1V<Vread1    -   Vev2<VA2<VA2V<VB2<VB2V<VC2<VC2V<Vread2

The erasing verify voltages Vev1, Vev2, and Vev3 are negative values asexplained above. However, a voltage actually applied to the control gateof the memory cell MC in the erasing verify operation is not a negativevalue and is zero or a positive value. That is, in the actual erasingverify operation, a positive voltage is given to a back gate of thememory cell MC and a voltage of zero or a positive value smaller thanthe back gate voltage is applied to the control gate of the memory cellMC. In other words, the erasing verify voltages Vev1, Vev2, and Vev3 arevoltage equivalently having negative values.

An upper limit value of a threshold voltage distribution ER of thememory cell after block erasing is also a negative value. Data “11” isallocated to the memory cell. The memory cells of data “11”, “01”, “10”,and “00” in a lower page and upper page written state respectively havepositive threshold voltage distributions ER2, A2, B2, and C2 (lowerlimit values of A2, B2, and C2 are also positive values). The thresholdvoltage distribution A2 of the data “01” has a lowest voltage value, thethreshold voltage distribution C2 of the data “00” has a highest voltagevalue, and the voltage values of the various threshold voltagedistributions have a relation of A2<B2<C2. The memory cell of the data“10” in a lower page written and upper page unwritten state has apositive threshold voltage distribution A (a lower limit value of A1 isalso a positive value). The threshold voltage distribution shown in FIG.12 is only an example. The present invention is not limited to this. Forexample, in the explanation referring to FIG. 12, all the thresholdvoltage distributions A2, B2, and C2 are positive threshold voltagedistributions. However, when the threshold voltage distribution A2 is anegative voltage distribution and the threshold voltage distributions B2and C2 are positive voltage distributions, the distributions are alsoincluded in the scope of the present invention. Even if thresholdvoltage distributions ER1 and ER2 are positive values, the presentinvention is not limited to this. In this embodiment, the correspondencerelation among the data of ER2, A2, B2, and C2 is “11”, “01”, “10”, and“00”. However, the correspondence relation can be another correspondencerelation such as “11”, “01”, “00”, and “10”.

2-bit data of one memory cell includes lower page data and upper pagedata. The lower page data and the upper page data are written in thememory cell according to separate write operations, i.e., two writeoperations. When data is represented as “*@”, * represents the upperpage data and @ represents the lower page data.

First, write of the lower page data is explained with reference to firstand second sections of FIG. 12. It is assumed that all the memory cellshave the threshold voltage distribution ER in the erased state and storethe data “11”. As shown in FIG. 12, when write of the lower page data isperformed, the threshold voltage distribution ER of the memory cells isdivided into two threshold voltage distributions (ER1 and A1) accordingto a value (“1” or “0”) of the lower page data. When the value of thelower page data is “1”, ER1=ER because the threshold voltagedistribution ER in the erased state is maintained. However, a relationbetween the threshold voltage distributions ER and ER1 can be ER1>ER.

On the other hand, when the value of the lower page data is “0”, a highelectric field is applied to tunnel oxide films of the memory cells,electrons are injected into the floating gate electrode, and thethreshold voltage Vth of the memory cells is increased by apredetermined value. Specifically, the verify voltage VA1V is set andthe write operation is repeated until the threshold voltage is increasedto be equal to or higher than the verify voltage VA1V. As a result, thememory cells change to the written state (the data “10”). When thememory cells do not reach the threshold voltage even if the writeoperation is repeated a predetermined number of times (or the number ofmemory cells not reaching the threshold voltage is equal to or largerthan a threshold value), write in the physical page is “Program Error”(Program Fail or Write Error).

Write of the upper page data is explained with reference to the secondand third sections of FIG. 12. The write of the upper page data isperformed based on write data (upper page data) input from the outsideof the chip and lower page data already written in the memory cells.

That is, as shown in the second and third sections of FIG. 12, when avalue of the update data is “1”, a high electric field is not applied tothe tunnel oxide films of the memory cells to prevent a rise of thethreshold voltage Vth of the memory cells. As a result, the memory cellshaving the data “11” (the threshold voltage distribution ER1 of theerased state) maintain the data “11” (ER2) and the memory cells havingthe data “10” (the threshold voltage distribution A1) maintain the data“10” (B2). However, in terms of securing a voltage margin between thedistributions, it is desirable to adjust a lower limit value of thethreshold voltage distribution using the positive verify voltage VB2Vlarger than the verify voltage VA1V to thereby form a threshold voltagedistribution B2 obtained by narrowing the width of the threshold voltagedistribution. When the memory cells do not reach the threshold voltageeven if the lower limit value adjustment is repeated a predeterminednumber of times (or the number of memory cells not reaching thethreshold voltage is equal to or larger than the predetermined value),write in the physical page is “Program Error”.

On the other hand, when the value of the upper page data is “0”, a highelectric field is applied to the tunnel oxide films of the memory cells,electrons are injected into the floating gate electrode, and thethreshold voltage Vth of the memory cells is increased by apredetermined value. Specifically, the verify voltages VA2V and VC2V areset and the write operation is repeated until the threshold voltage isincreased to be equal to or higher than the verify voltages VA2V andVC2V. As a result, the memory cells having the data “11” (the thresholdvoltage distribution ER1 in the erased state) change to the data “01” ofthe threshold voltage distribution A2 and the memory cells having thedata “10” (A1) changes to the data “00” of the threshold voltagedistribution C2. At this point, the verify voltages VA2V and VC2V areused and lower limit values of the threshold voltage distributions A2and C2 are adjusted. When the memory cells do not reach the thresholdvoltage even if the write operation is repeated the predetermined numberof times (or the number of memory cells not reaching the thresholdvoltage is equal to or larger than the threshold value), write in thephysical page is “Program Error”.

On the other hand, in an erase operation, an erasing verify voltage Vevis set and the erase operation is repeated until the threshold voltageis reduced to be equal to or lower than the verify voltage Vev. As aresult, the memory cells change to the written state (the data “00”).When the memory cells do not reach the threshold voltage even if theerase operation is repeated a predetermined number of times (or thenumber of memory cells not reaching the threshold voltage is equal to orlarger than the predetermined value), erasing for the physical page is“Erase Error” (erase fail).

An example of the data write system in the general four-level storemethod is explained above. In a multi-bit storage system of 3 bit/cellor more, according to higher order page data, an operation for dividingthe threshold voltage distribution into eight or more kinds is onlyadded to the operation explained above. Therefore, a basic operation isthe same.

Configuration of the Storage Device (2)

A configuration example of the storage unit 2 and the storage unit 3 isexplained. In this embodiment, as shown in FIG. 13, the storage unit 2and the storage unit 3 functioning as SSD include a NAND flash memory(hereinafter abbreviated as NAND memory) 16 functioning as anon-volatile semiconductor memory, an interface controller (IFC) 42configured to perform transmission and reception of signals to and fromthe information processing device 111 via the interface 19, a RAM(Random Access Memory) 40 functioning as a semiconductor memoryincluding a cache memory (CM) 46 functioning as an intermediate bufferbetween the IFC 42 and the NAND memory 16, a SSD controller (SSDC) 41configured to administer management and control of the NAND memory 16and the RAM 40 and control of the interface controller 42, and a bus 43configured to connect these components.

As the RAM 40, for example, a volatile RAM such as a DRAM (DynamicRandom Access Memory) or a SRAM (Static Random Access Memory) or anonvolatile RAM such as a FeRAIVI (Ferroelectric Random Access Memory),a MRAM (Magnetoresistive Random Access Memory), a PRAM (Phase ChangeRandom Access Memory), or a ReRAM (Resistance Random Access Memory) canbe adopted. The RAM 40 can be included in the SSDC 41.

The NAND memory 16 includes a plurality of NAND memory chips 80. TheNAND memory 16 stores user data designated by the information processingdevice 111, stores a management table for managing the user data, andstores, for backup, management information managed by the RAM 40. TheNAND memory 16 includes the memory cell array 82 in which a plurality ofmemory cells are arrayed in a matrix shape. The respective memory cellscan perform multi-level storage using an upper page and a lower page.The NAND memory 16 includes a plurality of memory chips. Each of thememory chips is configured by arraying a plurality of blocks, which areunits of data erasing. In the NAND memory 16, write of data and read ofdata are performed for each page. The block includes a plurality ofpages.

The RAM 40 includes the cache memory (CM) 46 functioning as a cache fordata transfer between the information processing device 111 and the NANDmemory 16. The RAM 40 functions as a memory for management informationstorage and a memory for work area. Management tables managed in an area40A of the RAM 40 are various management tables stored in an area 40M ofthe NAND memory 16 and loaded when the storage unit 2 and the storageunit 3 are started. The management data are backed up in the area 40M ofthe NAND memory 16 periodically, when a standby command is received,when a flash command is received, or when a power supply is interrupted.

A function of the SSDC 41 is realized by a processor configured toexecute a system program (firmware) stored in the NAND memory 16,various hardware circuits, and the like. The SSDC 41 executes, inresponse to various commands such as a write request, a cache flashrequest, and a read request from the information processing device 111,data transfer control between the information processing device 111 andthe NAND memory 16, update and management of the various managementtable stored in the RAM 40 and the NAND memory 16, ECC decryption ofdata read from the NAND memory 16, and the like.

When the information processing device 111 transmits a read request or awrite request to the storage unit 2, the information processing device111 inputs an LBA serving as a logical address via the interface 19. TheLBA is a logical address in which serial numbers are given to logicalsectors (size: e.g., 512 Bytes) starting from 0. When the informationprocessing device 111 issues a read request or a write request to thestorage unit 2, the information processing device 111 inputs, togetherwith the LBA, the size of a logical sector for which the read request orthe write request is issued.

The IFC 42 has a function for receiving a read request, a write request,other requests, and data from the information processing device 111,transmitting the received requests and the data to the SSDC 41, andtransmitting the data to the RAM 40 according to the control by the SSDC41.

A configuration example of management information 44 used in the storageunit 2 and the storage unit 3 is shown in FIG. 14. As explained above,the management information 44 is stored in the area 40M of the NANDmemory 16 in a nonvolatile manner. The management information stored inthe area 40M is loaded to the area 40A of the RAM 40 and used when thestorage unit 2 is started. The management information 44 in the area 40Ais backed up in the area 40M periodically or when the power supply isinterrupted. When the RAM 40 is a nonvolatile RAM such as a MRAM or aFeRAM, the management information 44 can be stored in only the RAM 40.Then, the management information 44 is not stored in the NAND memory 16.To reduce a write amount in the NAND memory 16, it is desirable thatdata stored in the management information 44 is data obtained bycompressing data stored in the area 40A of the RAM 40. To reduce a writefrequency in the NAND memory 16, it is desirable that update information(difference information) of the management information 44 stored in thearea 40A of the RAM 40 is additionally written.

As shown in FIG. 14, the management information includes a free blocktable (FBT) 60, a bad block table (BT) 61, an active block table (ABT)62, a track table (a logical-to-physical transformation table in a trackunit) 63, a cluster table (a logical-to-physical transformation table ina cluster unit) 64, and statistical information 65.

As shown in FIG. 15, the LBA is a logical address in which serialnumbers are given to logical sectors (size: e.g., 512 Bytes) startingfrom 0. In this embodiment, as management units for the logical address(LBA) of the storage unit 2, a cluster address configured by higherorder bit rows from a lower order (s+1)th bit of the LBA and a trackaddress configured by higher order bit rows from a lower order (s+t+1)thbit of the LBA are defined. That is, the logical sector is a minimumaccess unit from the information processing device 111. A cluster is amanagement unit for managing “small data” in the SSD. The cluster sizeis defined to be a natural number times as large as the logical sectorsize. A track is a management unit for managing “large data” in the SSD.The track size is defined to be two or a larger natural number times aslarge as the cluster size. Therefore, the track address is obtained bydividing the LBA by the track size. An address in the track is aremainder obtained by dividing the LBA by the track size. The clusteraddress is obtained by dividing the LBA by the cluster size. An addressin the cluster is a remainder obtained by dividing the LBA by thecluster size. In the following explanation, for convenience, the size ofthe track is equal to the size of data recordable in one physical block(when a redundant bit of ECC processing performed by the SSDC 41 isincluded in the physical block, a size obtained by removing theredundant bit). The size of the cluster is equal to the size of datarecordable in one physical page (when a redundant bit of the ECCprocessing performed by the SSDC 41 is included in the physical page, asize obtained by removing the redundant bit).

The free block table (FBT) 60 manages a block address (a physical blockID) of a use-unallocated physical block (a free block: FB) that can beallocated anew for write when write in the NAND memory 16 is performed.The free block table (FBT) 60 manages erase count for each physicalblock ID. When a physical block is erased, the free block tabled (FBT)60 increments the erase count of the block.

The bad block table (BBT) 61 manages a block ID of a bad block (BB)serving as a physical block that cannot be used as a storage arebecause, for example, errors often occur. As in the FBT 60, the erasecount can be managed for each physical block ID.

The active block table (ABT) 62 manages an active block (AB), which is aphysical block to which a use is allocated. The active block table (ABT)62 manages the erase count for each physical block ID. When a physicalblock is erased, the active block table (ABT) 62 increments the numberof times of easing of the block.

The track table 63 manages a correspondence relation between a trackaddress and a physical block ID of a physical block in which track datacorresponding to the track address is stored.

The cluster table 64 manages a correspondence relation among a clusteraddress, a physical block ID of a physical block in which cluster datacorresponding to the cluster address is stored, and a page address inthe physical block in which the cluster data corresponding to thecluster address is stored.

The SSDC 41 stores, in the statistical information 65, variousparameters (X01 to X32) related to the reliability of the storage unit 2as reliability information (see FIG. 27).

Values (Raw Values) of the statistical information 65 used as an exampleof the reliability information include a total bad block count(statistical information X01), a total bad logical sector count(statistical information X02), a total erase count (statisticalinformation X03), an average erase count (statistical information X04),a total program error count of the NAND memory (statistical informationX05), a total erase error count of the NAND memory (statisticalinformation X06), a total read logical sector count (statisticalinformation X07), a total written logical sector count (statisticalinformation X08), a total uncorrectable ECC error count (statisticalinformation X09), a total retry read count (statistical informationX10), a corrected n bit-m bit ECC event count (statistical informationX11), data corruption error count of the interface 19 (statisticalinformation X12), a link speed down shift count of the interface 19(statistical information X13), a lane count down shift count of theinterface 19 (statistical information X14), an error count of theinterface 19 (statistical information X15), an error count of the RAM 40(statistical information X16), a power on time of the storage unit 2(statistical information X17), a power cycle count (statisticalinformation X18), an unintentional power down count (statisticalinformation X19), a cumulative time when temperature exceeds a maximumvalue of a recommended operation temperature (statistical informationX20), a cumulative time when temperature falls below a minimum value ofa recommended operation temperature (statistical information X21), amaximum value of a response time of a command (statistical informationX22), an average value of a response time of a command (statisticalinformation X23), a maximum value of a response time of the NAND memory(statistical information X24), an average value of a response time ofthe NAND memory (statistical information X25), a present temperature(statistical information X26), a highest temperature (statisticalinformation X27), a lowest temperature (statistical information X28),system data redundancy (statistical information X29), a total of writtendata amount in the RAM 40 (statistical information X30), a statisticalinformation increase ratio (statistical information X31), and a NAND GCError Flag (statistical information X32).

The total bad block count (statistical information X01) is explained.The SSDC 41 increments the statistical information X01 by one every timeone physical block of the NAND memory 16 in the storage unit 2 is addedto a bad block. It is desirable that the SSDC 41 resets the statisticalinformation X01 to zero during manufacturing (e.g., before a testprocess) of the storage unit 2. It is desirable that, when an erroroccurs in a block during the test process or when a block with a smallinter-distribution margin of a threshold voltage distribution isdetected, the SSDC 41 adds the block to the bad block in advance. TheSSDC 41 can directly calculate the statistical information X01 from theBBT 61 without storing the statistical information X01 in thestatistical information 65. A larger value of the statisticalinformation X01 indicates that reliability is further deteriorated.

The total bad logical sector count (the statistical information X02) isexplained. When a read command and an LBA are received from theinformation processing device 111 and read data cannot be subjected toECC correction during read from the NAND flash memory 16, the SSDC 41can register the LBA in the bad logical sector table in the managementinformation 44 as a bad logical sector (see FIG. 25). The SSDC 41 storesthe number of LBAs registered in the bad logical sector table in thestatistical information 65 as the total bad logical sector count (thestatistical information X02). When a read command is received from theinformation processing device 111, the SSDC 41 reads the bad logicalsector table on the RAM 40 and searches for the received LBA in the badlogical sector table. When the LBA is found in the bad logical sectortable, the SSDC 41 notifies the information processing device 111 of aread error without reading data from the NAND flash memory 16. When awrite command is received from the information processing device 111concerning the LBA of the bad logical sector and write processing isperformed, the SSDC 41 deletes the written LBA from the bad logicalsector table. When a delete notification is received from theinformation processing device 111 concerning the LBA of the bad logicalsector and delete notification processing is performed, the SSDC 41deletes the LBA subjected to the delete notification processing from thebad logical sector table. When an erase command (a Secure Erase command)for the storage unit 2 is received from the information processingdevice 111, the SSDC 41 erases the bad logical sector table. As theerase command for the storage unit 2, for example, an F4h Security EraseUnit command of ACS-3 or an 80h Format NVM command of NVM ExpressRevision 1.1 can be used. Instead of managing the bad logical sectortable in an LBA unit (a logical sector unit), as shown in FIG. 26, theSSDC 41 can manage the bad logical sector table in a cluster unit as abad cluster table. The SSDC 41 manages, as the statistical informationX02, the number of LBAs registered in the bad logical sector table orthe number of cluster addresses registered in the bad cluster table. TheSSDC 41 can directly calculate the statistical information X02 from thebad logical sector table and the bad cluster table without storing thestatistical information X02 in the statistical information 65. A largervalue of the statistical information X02 indicates that reliability isfurther deteriorated.

The total erase count (statistical information X03) is explained. Thestatistical information X03 indicates a cumulative value of the erasecount of all blocks of the NAND memory 16 in the storage unit 2. TheSSDC 41 increments the statistical information X03 by one every time onephysical block of the NAND memory 16 in the storage unit 2 is erased. Itis desirable that the statistical information X03 is reset to zeroduring manufacturing (e.g., before a test process) of the storage unit2. The SSDC 41 can directly calculate the statistical information X03from the FBT 60, BBT 61, and the ABT 62 without storing the statisticalinformation X03 in the statistical information 65. A larger value of thestatistical information X03 indicates that reliability is furtherdeteriorated.

The average erase count (the statistical information X04) is explained.The SSDC 41 calculates an average erase count per one block concerningall the blocks of the NAND memory 16 and stores the average erase countin the statistical information 65 as the statistical information X04.The SSDC 41 can exclude, from a totalization target of the statisticalinformation X04, a part of the blocks such as a block in which themanagement information 44 is stored. It is desirable that thestatistical information X04 is reset to zero during manufacturing (e.g.,before a test process) of the storage unit 2. The SSDC 41 can directlycalculate the statistical information X04 from the FBT 60, the BBT 61,and the ABT 62 without storing the statistical information X04 in thestatistical information 65. The SSDC 41 can use a maximum value of theerase count or a minimum value of the erase count instead of the averageerase count. A larger value of the statistical information X04 indicatesthat reliability is further deteriorated.

The total program error count (the statistical information X05) of theNAND memory is explained. The SSDC 41 increments (or can increment in ablock unit) the statistical information X05 by one every time a programerror occurs in one write unit in the NAND memory 16 in the storage unit2. It is desirable that the statistical information X05 is reset to zeroduring manufacturing (e.g., before a test process) of the storage unit2. A larger value of the statistical information X05 indicates thatreliability is further deteriorated.

The total erase error count of the NAND memory (the statisticalinformation X06) is explained. It is desirable that the statisticalinformation X06 is reset to zero during manufacturing (e.g., before atest process) of the storage unit 2. The SSDC 41 increments thestatistical information X06 by one every time an erase error occurs inone block in the NAND memory 16 in the storage unit 2. The SSDC 41 cancollectively set a plurality of blocks as an erasing unit and incrementthe statistical information X06 by one every time an erase error occursin one erasing unit. A larger value of the statistical information X06indicates that reliability is further deteriorated.

The total read logical sector count (the statistical information X07) isexplained. The SSDC 41 stores a cumulative number of the numbers oflogical sectors of data transmitted to the information processing device111 as read data by the IFC 42 in the statistical information 65 as thestatistical information X07. It is desirable that the statisticalinformation X07 is reset to zero during manufacturing (e.g., before atest process) of the storage unit 2. A larger value of the statisticalinformation X07 indicates that reliability is further deteriorated.

The total written logical sector count (the statistical information X08)is explained. The SSDC 41 stores a total number of logical sectors ofdata received from the information processing device 111 as write databy the IFC 42 in the statistical information 65 as the statisticalinformation X08. It is desirable that the statistical information X08 isreset to zero during manufacturing (e.g., before a test process) of thestorage unit 2. A larger value of the statistical information X08indicates that reliability is further deteriorated.

The total uncorrectable ECC error count (the statistical informationX09) is explained. When an error bit cannot be corrected by ECCcorrection, the SSDC 41 increments the statistical information X09 by 1in every one read unit. The SSDC 41 can add an estimated value of thenumber of error bits that cannot be corrected or can add the number oferror blocks that cannot be corrected. It is desirable that thestatistical information X09 is reset to zero during manufacturing (e.g.,before a test process) of the storage unit 2. A larger value of thestatistical information X09 indicates that reliability is furtherdeteriorated.

The total retry read count (the statistical information X10) isexplained. When the number of error bits is larger and error correctionimpossible (ECC error) during data read, it is desirable that the SSDC41 executes error correction using the ECC again. In particular, whenthe SSDC 41 shifts the read levels VA1, VA2, VB2, and VC2 shown in FIG.12 from default values and performs read, data that cannot beerror-corrected can be sometimes error-corrected. The SSDC 41 can storethe total retry read count in the statistical information X09 as thestatistical information X10 and use the total retry read count for lifeend prediction and life end determination. It is desirable that thestatistical information X10 is reset to zero during manufacturing (e.g.,before a test process) of the storage unit 2. A larger value of thestatistical information X10 indicates that reliability is furtherdeteriorated.

The corrected n bit-m bit ECC event count (the statistical informationX11) is explained. In the corrected n bit-m bit ECC event count, n and mare natural numbers and 0≦n≦m≦maximum number of correctable bits. Whenthe ECC correction is performed for an ECC correction unit (e.g., aphysical page), if all error bits are normally corrected and the numberof corrected error bits is equal to or larger than n and equal to orsmaller than m, the SSDC 41 increments the corrected n bit-m bit ECCevent count by one for one ECC correction unit. If maximum 64 bits canbe corrected per one correction unit by the ECC correction, for example,the SSDC 41 reserves eight parameters “corrected 1 bit-8 bit ECC eventcount”, “corrected 9 bit-16 bit ECC event count”, “corrected 17 bit-24bit ECC event count”, “corrected 25 bit-32 bit ECC event count”,“corrected 33 bit-40 bit ECC event count”, “corrected 41 bit-48 bit ECCevent count”, “corrected 49-bit-56 bit ECC event count”, and “corrected57 bit-64 bit ECC event count”. If the ECC correction is normallyperformed, the SSDC 41 increments any one of the eight parameters by 1every time the EEC correction in one ECC correction unit is performed.It is desirable that the statistical information X11 is reset to zeroduring manufacturing (e.g., before a test process) of the storage unit2. A larger value of the statistical information X11 indicates thatreliability is further deteriorated.

The data corruption error count of the interface 19 (the statisticalinformation X12) is explained. The SSDC 41 increments the statisticalinformation X12 by one every time data corruption of a signal isdetected on the interface 19. Data transmitted and received on theinterface 19 is subjected to error detection and error correction by theSSDC 41, the IFC 42, and the chip set 7 using, for example, a CyclicRedundancy Check (CRC) code, a Bose-Chaudhuri-Hocquenghem (BCH) code, aReed-Solomon (RS) code, a Low-Density Parity-Check (LDPC) code, and thelike. When an error is detected or when the error correction cannot beperformed, the SSDC 41 increments the statistical information X12 byone. For example, when the interface 19 is based on a SATA standard, theSSDC 41 increments the statistical information X12 by one every time anR error (Reception Error, R_ERR) in the SATA standard occurs once. Asthe statistical information X12, any one of Phy Event Counters of theSATA standard can be adopted. It is desirable that the statisticalinformation X12 is reset to zero during manufacturing (e.g., before atest process) of the storage unit 2. A larger value of the statisticalinformation X12 indicates that reliability is further deteriorated.

The link speed down shift count of the interface 19 (the statisticalinformation X13) is explained. When the SSDC 41, the IFC 42, and thechip set 7 detect that communication speed of the interface 19 decreasesto be smaller than a design value, the SSDC 41 increments thestatistical information X13 by one. For example, although the interface19, the IFC 42, and the SSDC 41 are designed at SATA communication speedof the maximum 6 Gbps, when it is detected that communication speedactually established between the interface 19, the IFC 42, and the SSDC41 and the storage unit 2 and the information processing device 111 islower communication speed such as 3 Gbps, the SSDC 41 regards this as anerror in SATA communication and increments the statistical informationX13 by one. For example, although the interface 19, the IFC 42, and theSSDC 41 are designed at Express communication speed of the maximum 8Gbps, when it is detected that communication speed actually establishedbetween the interface 19, the IFC 42, and the SSDC 41 and the storageunit 2 and the information processing device 111 is lower communicationspeed such as 5 Gbps, the SSDC 41 regards this as an error in PCIExpress communication and increments the statistical information X13 byone. It is desirable that the statistical information X13 is reset tozero during manufacturing (e.g., before a test process) of the storageunit 2. A larger value of the statistical information X13 indicates thatreliability is further deteriorated.

The lane count down shift count of the interface 19 (the statisticalinformation X14) is explained. When the SSDC 41, the IFC 42, and thechip set 7 detect that the number of active transmission lines of theinterface 19 decreases to be smaller than a design value, the SSDC 41increments the statistical information X14 by one. For example, althoughthe interface 19, the IFC 42, and the SSDC 41 are designed at the numberof PCI express transmission line (number of Lanes) of the maximum 8Lanes, when it is detected that the number of transmission linesactually established between the interface 19, the IFC 42, and the SSDC41 and the storage unit 2 and the information processing device 111 is asmaller number of transmission lines such as 4 Lanes, the SSDC 41regards this as an error in PCI Express communication and increments thestatistical information X14 by one. It is desirable that the statisticalinformation X14 is reset to zero during manufacturing (e.g., before atest process) of the storage unit 2. A larger value of the statisticalinformation X14 indicates that reliability is further deteriorated.

The error count of the interface 19 (the statistical information X15) isexplained. Every time the SSDC 41, the IFC 42, and the chip set 7 detectan other abnormality in the interface 19 (other than X12) once, the SSDC41 increments the statistical information X15 by one. It is desirablethat the statistical information X15 is reset to zero duringmanufacturing (e.g., before a test process) of the storage unit 2. Alarger value of the statistical information X15 indicates thatreliability is further deteriorated.

The error count of the RAM 40 (the statistical information X16) isexplained. When the SSDC 41 writes data in the RAM 40, an ECC encodingunit or an error-detection-code creating unit of the SSDC 41 or the RAM40 encodes the data and writes the data in the RAM 40. When the SSDC 41reads data from the RAM 40, an ECC decoding unit or an error detectingunit of the SSDC 41 or the RAM 40 subjects the data to error correctionor error detection and reads the data from the RAM 40. If the errorcorrection cannot be performed or if an error is detected when the SSDC41 reads data from the RAM 40, the SSDC 41 increments the statisticalinformation X16 by one. It is desirable that the statistical informationX16 is reset to zero during manufacturing (e.g., before a test process)of the storage unit 2. A larger value of the statistical information X16indicates that reliability is further deteriorated.

The power on time of the storage unit 2 (the statistical informationX17) is explained. While a power supply for the storage unit 2 is ON,when the SSDC 41 counts a clock or receives time information from aninternal timing circuit, the SSDC 41 increments the statisticalinformation X17 as an elapsed time. Alternatively, the SSDC 41 canperiodically receive time information of the information processingdevice 111 from the information processing device 111 and increment adifference in the time information. As examples of the power on time,for example, there are power on hours and power on seconds. It isdesirable that the statistical information X17 is reset to zero duringmanufacturing (e.g., before a test process) of the storage unit 2. Alarger value of the statistical information X17 indicates thatreliability is further deteriorated.

The power cycle count (the statistical information X18) is explained.The SSDC 41 increments the statistical information X18 by one every timethe power is supplied to the storage unit 2 and the storage unit 2 isstarted. During the power supply and the start, in some case, a readoperation takes place and a write operation takes place for the NANDflash memory 16. Therefore, a larger value of the statisticalinformation 18 indicates that reliability is further deteriorated. It isdesirable that the statistical information X18 is reset to zero duringmanufacturing (e.g., before a test process) of the storage unit 2.

The unintentional power down count (the statistical information X19) isexplained. Usually, when the power supply for the storage unit 2 isturned off, for example, the information processing device 111 issues,for example, an E0h Standby Immediate command described in Informationtechnology ATA/ATAPI Command Set-3 (ACS-3) to the storage unit 2 or setsShutdown Notification (CC.SHN) described in NVM Express Revision 1.1 to01b. In this way, the information processing device 111 transitions thestorage unit 2 to a state in which the power supply can be interruptedand then interrupts the power supply for the storage unit 2. On theother hand, in some case, power supply interruption unintentionallyoccurs when the storage unit 2 is not in the state in which the powersupply can be interrupted. This is called Unintentional Power Down(Ungraceful Power Down, Unsafe Shutdown, and Unintended Power Down).When the storage unit 2 starts for the first time after theinappropriate power supply interruption, the SSDC 41 increments thestatistical information X19 by one. The inappropriate power supplyinterruption also causes reliability deterioration of the storage unit 2because user data is broken or a large amount of read and writeoperation from and to the NAND memory 16 takes place in theinappropriate power supply interruption. Therefore, a larger value ofthe statistical information X19 indicates that reliability is furtherdeteriorated. It is desirable that the statistical information X19 isreset to zero during manufacturing (e.g., before a test process) of thestorage unit 2.

The cumulative time when temperature exceeds a maximum value of arecommended operation temperature (statistical information X20) isexplained. When a thermometer is mounted in the storage unit 2, forexample, on the substrate of the storage unit 2, in the SSDC 41, or inthe NAND memory 16, the SSDC 41 periodically receives temperatureinformation from the thermometer. When the received temperature exceedsthe recommended operation temperature (e.g., 100° C.), the SSDC 41increments, based on time information acquired from the clock, aninternal clock, or the information processing device 111, the number ofhours of operation at temperature equal to or higher than therecommended operation temperature. It is desirable that the statisticalinformation X20 is reset to zero during manufacturing (e.g., before atest process) of the storage unit 2. A larger value of the statisticalinformation X20 indicates that reliability is further deteriorated.

The cumulative time when temperature falls below a minimum value of arecommended operation temperature (the statistical information X21) isexplained. When a thermometer is mounted in the storage unit 2, the SSDC41 periodically receives temperature information from the thermometer.When the received temperature falls below the recommended operationtemperature (e.g., −40° C.), the SSDC 41 increments, based on timeinformation acquired from the clock, the internal clock, or theinformation processing device 111, the number of hours of operation attemperature equal to or higher than the recommended operationtemperature. It is desirable that the statistical information X21 isreset to zero during manufacturing (e.g., before a test process) of thestorage unit 2. A larger value of the statistical information X21indicates that reliability is further deteriorated.

The response time maximum value of a command (the statisticalinformation X22) is explained. The SSDC 41 measures time (or the numberof clocks) required from reception of a command from the informationprocessing device 111 until transmission of a response to theinformation processing device 111 (or completion of execution of thecommand) and stores a maximum value of the time in the statisticalinformation 65 as the statistical information X22. When a response timeexceeding the statistical information X22 occurs, the SSDC 41 overwritesthe statistical information X22 with the response time. The SSDC 41 canstore the statistical information X22 for each of commands. It isdesirable that the statistical information X22 is reset to zero duringmanufacturing (e.g., before a test process) of the storage unit 2 orduring shipment of the storage unit 2.

The response time average value of a command (the statisticalinformation X23) is explained. The SSDC 41 measures time (or the numberof clocks) required from reception of a command from the informationprocessing device 111 until transmission of a response to theinformation processing device 111 (or completion of execution of thecommand) and stores an average value of the time in the statisticalinformation 65 as the statistical information X23. For example, the SSDC41 stores a fixed number of response time lists in the RAM 40 andcalculates an average value of the response time lists to therebycalculate the statistical information X23. The SSDC 41 can store thestatistical information X23 for each of commands. It is desirable thatthe statistical information X23 is reset to zero during manufacturing(e.g., before a test process) of the storage unit 2 or during shipmentof the storage unit 2.

The response time maximum value of the NAND memory (the statisticalinformation X24) is explained. The SSDC 41 measures time (or the numberof clocks) required from issuance of a command to the NAND memory 16 bythe SSDC 41 until reception of a response (or reception of a commandexecution completion notification) and stores a maximum value of thetime in the statistical information 65 as the statistical informationX24. When a response time exceeding the statistical information X24occurs, the SSDC 41 overwrites the statistical information X24 with theresponse time. The SSDC 41 can store the statistical information X24 foreach of commands. It is desirable that the statistical information X24is reset to zero during manufacturing (e.g., before a test process) ofthe storage unit 2 or during shipment of the storage unit 2.

The response time average value of the NAND memory (the statisticalinformation X25) is explained. The SSDC 41 measures time (or the numberof clocks) required from issuance of a command to the NAND memory 16until reception of a response (or reception of a command executioncompletion notification) and stores an average value of the time in thestatistical information 65 as the statistical information X25. Forexample, the SSDC 41 stores a fixed number of response time lists in theRAM 40 and calculates an average value of the response time lists tothereby obtain the statistical information X25. The SSDC 41 can storethe statistical information X25 for each of commands. It is desirablethat the statistical information X25 is reset to zero duringmanufacturing (e.g., before a test process) of the storage unit 2 orduring shipment of the storage unit 2.

The present temperature (the statistical information X26) is explained.When a thermometer is mounted in the storage unit 2, the SSDC 41periodically receives temperature information from the thermometer. TheSSDC 41 stores temperature received from the thermometer last in thestatistical information X26 as a present temperature. When the presenttemperature is extremely high (e.g., equal to or higher than 85° C.),the SSDC 41 determines that the reliability of the storage unit 2 isadversely affected. When the temperature is extremely low (e.g., equalto or lower than −10° C.), the SSDC 41 determines that the reliabilityof the storage unit 2 is adversely affected.

The highest temperature (the statistical information X27) is explained.The SSDC 41 stores a maximum value of the present temperature X26 in thestatistical information X27 as a highest temperature. When the highesttemperature is extremely high (e.g., equal to or higher than 85° C.),the reliability of the storage unit 2 is adversely affected. When theSSDC 41 receives the present temperature higher than the statisticalinformation X27 from the thermometer, the SSDC 41 rewrites thestatistical information X27 with the present temperature. It isdesirable that the statistical information X27 is reset to temperature(e.g., −40° C.) sufficiently low compared with an operating temperatureof the storage unit 2 during manufacturing (e.g., before a test process)of the storage unit 2 or during shipment of the storage unit 2.

The lowest temperature (the statistical information X28) is explained.The SSDC 41 stores a minimum value of the present temperature X26 in thestatistical information X28 as a lowest temperature. When the lowesttemperature is extremely low (e.g., equal to or lower than −40° C.), theSSDC 41 determines that the reliability of the storage unit 2 isadversely affected. When the SSDC 41 receives the present temperaturelower than the statistical information X28 from the thermometer, theSSDC 41 rewrites the statistical information X28 with the presenttemperature. It is desirable that the statistical information X28 isreset to temperature (e.g., 120° C.) sufficiently high compared with anoperating temperature of the storage unit 2 during manufacturing (e.g.,before a test process) of the storage unit 2 or during shipment of thestorage unit 2.

The system data redundancy (the statistical information X29) isexplained. When system data such as data in the management informationarea 40M of the NAND memory 16 or a system program (firmware) stored inthe NAND memory 16 is broken and unable to be read, it is likely thatthe storage unit 2 cannot perform a normal operation. For improvement ofthe reliability of the storage unit 2, it is desirable that the SSDC 41makes the system data redundant across a plurality of physical blocks ora plurality of channels using RAID1, RAID5, or RAID6 and stores thesystem data in the area 40M. The SSDC 41 transforms redundancy of thesystem data into a numerical value and stores the numerical value in thestatistical information 65 as the system data redundancy (thestatistical information X29). When redundancy X29=R, a data loss up tomaximum (R−1) blocks can be restored. For example, when the SSDC 41manages management information 45 over four blocks using the RAID1, themanagement information 45 is stored as clones respectively in a block A,a block B, a block C, and a block D. Then, because the managementinformation 45 retains four clones in total, the redundancy X29 of themanagement information 45 is four. For example, when data of the block Ais broken and unable to be read, the SSDC 41 can read the managementinformation 45 by performing data read from the block B, the block C, orthe block D. Then, because the management information 45 retains threeclones in total, the redundancy X29 of the management information 45 isthree. For example, when the SSDC 41 manages the management information45 over four blocks using the RAID5, the management information 45 isstored in, for example, the block A, the block B, the block C, and theblock D respectively by four RAID5s. Then, even if data of maximum oneblock is lost, because the data can be restored, the redundancy X29 ofthe management information is two. In a state in which data for oneblock is lost, the redundancy X29 is one. When the redundancy X29decreases, system data is more likely to be unable to be restored and afailure rate of the storage unit 2 increases. A smaller value of theredundancy X29 indicates that reliability is further deteriorated. Whenthe redundancy X29 decreases, it is desirable that the SSDC 41 recoversthe redundancy by rewriting restored data in a block in which data islost.

The total of written data amount in the RAM 40 (the statisticalinformation X30) is explained. The SSDC 41 stores a cumulative value ofdata write amounts written in the RAM 40 of the storage unit 2 in thestatistical information 65 as the statistical information X30. The SSDC41 increments the statistical information X30 by one every time data ofone page is written in the RAM 40. It is desirable that the statisticalinformation X30 is reset to zero during manufacturing (e.g., before atest process) of the storage unit 2. A larger value of the statisticalinformation X30 indicates that reliability if further deteriorated.

The statistical information increase ratio (the statistical informationX31) is explained. The SSDC 41 stores not-latest information of thestatistical information X01 to X25 (e.g., values before a fixed time,values at the time when the storage unit 2 is powered on, and values atthe time when the storage unit 2 is powered down last time) separatelyin the management information 44. The SSDC 41 calculates the statisticalinformation X31 according to, for example, any one of the followingformulas:

statistical information increase ratio=(latest statisticalinformation)−(old information)

statistical information increase ratio=((latest statisticalinformation)−(old information))/(elapsed time after old information isacquired)

statistical information increase ratio=((latest statisticalinformation)−(old information))/(number of times of NAND access afterold information is acquired)

It is desirable that the statistical information X31 is reset to zeroduring manufacturing (e.g., before a test process) of the storage unit2. A larger value of the statistical information X31 indicates thatreliability is further deteriorated.

The NAND GC Error Flag (the statistical information X32) is explained.When the statistical information X32 is 1, the number of free blockssufficient for an operation cannot be acquired even with a garbagecollection (GC) of data stored in NAND memory 16 (hereinafter referredto as NAND GC). It is desirable that the statistical information X32 isreset to zero during manufacturing (e.g., before a test process) of thestorage unit 2. A larger value of the statistical information X32indicates that reliability is further deteriorated.

The SSDC 41 can store all the parameters explained above or can store apart of any one of the parameters in the statistical information 65. Itis desirable that the SSDC 41 stores the latest information of thestatistical information 65 in the area 40A on the RAM 40 andperiodically backs up the latest information as backup data in the area40A on the NAND memory 16. On the other hand, the SSDC 41 can store thelatest information in one of the RAM 40 and the NAND memory 16 and cantransmit the statistical information to the information processingdevice 111 and store the statistical information in the informationprocessing device 111 or a storage device connected to the informationprocessing device 111.

Forward LBA Lookup Transformation

A procedure in which the SSDC 41 specifies a physical address from anLBA (forward LBA lookup transformation) is explained with reference toFIG. 16. When an LBA is designated, the SSDC 41 calculates a trackaddress, a cluster address, and an intra-cluster address from the LBA.

First, the SSDC 41 searches through the track table 63 and specifies aphysical block ID corresponding to the calculated track address (stepsS100 and S101). The SSDC 41 determines whether the specified physicalblock ID is valid (step S102). When the physical block ID is not nulland is a valid value (Yes at step S102), the SSDC 41 searches throughthe ABT 62 and determines whether the physical block ID is entered inthe ABT 62 (step S103). When the physical block ID is entered in the ABT62 (Yes at step S104), a position shifted by the intra-track addressfrom a head position of a physical block designated by the physicalblock ID is a physical position on the NAND memory 16 corresponding tothe designated LBA (step S105). In such a case, the cluster table 64 isunnecessary for specifying a physical position on the NAND memory 16corresponding to the LBA. Such an LBA is referred to as “LBA managed intrack unit”. When the physical block ID is not entered in the ABT 62 atstep S104 (No at step S104), the designated LBA does not have a physicaladdress corresponding thereto. Such a state is referred to “unwrittenstate” (step S106).

When the physical address corresponding to the designated track addressis null and is an invalid value at step S102 (No at step S102), the SSDC41 calculates a cluster address from the LBA, searches through thecluster table 64, and acquires a physical block ID corresponding to thecalculated cluster address and an intra-physical block addresscorresponding thereto from the cluster table 64 (step S107). A positionshifted by the intra-cluster address from a head position of a physicalpage designated by the physical block ID and the intra-physical blockpage address is a physical position on the NAND memory 16 correspondingto the designated LBA. In such a case, the physical position on the NANDmemory 16 corresponding to the LBA cannot be specified from only thetrack table 63 and the cluster table 64 needs to be referred to. Such anLBA is referred to as “LBA managed in cluster unit” (step S108).

Read Operation

A read operation from the storage unit 2 and the storage unit 3 by theinformation processing device 111 is explained with reference to FIGS.17 and 18. In the read operation explained in this embodiment, 60h READFPDMA QUEUED described in Information technology ATA/ATAPI Command Set-3(ACS-3) is used as a read command. However, other read commands such as25h READ DMA EXT can be adopted. A difference in a type of the readcommand does not affect the essence of the present invention. Forexample, 02h Read described in NVM Express Revision 1.1 can be used asthe read command. When the storage unit 2 receives a read command fromthe information processing device 111 (step S110), the SSDC 41 adds theread command to a read command queue on the RAM 40 (step S111) andreturns a reception notification of the read command to the informationprocessing device 111.

On the other hand, when a read command is present in the read commandqueue on the RAM 40, the SSDC 41 determines whether read processing canbe executed (step S120). Upon determining that the read processing canbe executed, the SSDC 41 specifies a physical position of data from theLBA received from the information processing device 111 according to theforward LBA lookup transformation procedure shown in FIG. 16 (stepS121). The SSDC 41 reads the data from a physical page in the specifiedposition (step S123), subjects the read data to ECC decryption using anECC redundancy bit in the read data (step S124), transmits the decrypteddata to the information processing device 111 via the IFC 42 (stepS125), and updates the statistical information 65. The SSDC 41 can oncewrite the data read from the NAND memory 16 in the RAM 40, decrypt thedata written in the RAM 40, and transmit the decrypted data to theinformation processing device 111 or can once write the decrypted datain the RAM 40 and transmit the data written in the RAM 40 to theinformation processing device 111.

At step S124, the SSDC 41 attempts decryption by the ECC. However, whenthe decryption cannot be performed, the SSDC 41 deletes, from the ABT62, a physical block including a page that cannot be decrypted,registers the physical block in the BBT 61, and increments the totaluncorrectable ECC error count (the statistical information X09) of thestatistical information 65. Then, it is desirable that the SSDC 41copies data of the block from the FBT 60 to an allocated free block,registers a physical block ID of the free block in the ABT 62, andrewrites physical blocks of the track table 63 and the cluster table 64from a copy source physical block ID to a copy destination physicalblock ID.

Write Operation

A write operation in the storage unit 2 and the storage unit 3 by theinformation processing device 111 is explained with reference to FIG.19, FIGS. 20A and 20B. In the write operation explained in thisembodiment, 61h WRITE FPDMA QUEUED described in Information technologyATA/ATAPI Command Set-3 (ACS-3) is used as a write command. However,other write commands such as 35h WRITE DMA EXT can be adopted. Adifference in a type of the write command does not affect the essence ofthe present invention. For example, 01h Write described in NVM ExpressRevision 1.1 can be used as the write command. For example, when thestorage unit 2 receives a write command from the information processingdevice 111 (step S130), the SSDC 41 adds the write command to a writecommand queue on the RAM 40 (step S131) and returns a receptionnotification of the write command to the information processing device111.

On the other hand, when a write command is present in the write commandqueue on the RAM 40, the SSDC 41 determines whether write processing canbe executed (step S140). Upon determining that the write processing canbe executed, the SSDC 41 notifies the information processing device 111that write is possible, receives write data from the informationprocessing device 111, subjects the received data to ECC encoding, andstores the encoded data in the cache memory 46 of the RAM 40. The SSDC41 can store unencoded data in the cache memory 46 and encode the datawhen writing the data in the NAND memory 16.

Subsequently, the SSDC 41 reads the FBT 60 (step S141) and acquires aphysical block ID of a free block from the FBT 60. When a free block isabsent (No at step S142), the SSDC 41 performs NAND GC of the NANDmemory 16 explained below (step S143). After the NAND GC, the SSDC 41reads the FBT 60 (step S144) and acquires a physical block ID of a freeblock from the FBT 60. The SSDC 41 applies an erase operation to thefree block, the physical block ID of which is acquired. When an eraseerror occurs, the SSDC 41 adds the physical block ID to the BBT 61,deletes the physical block ID from the FBT 60, and executes theprocessing again from S141 to acquire a free block again. Even in aphysical block in which an erase error occurs once, if the eraseoperation is performed again, the physical block sometimes can benormally erased without causing an erase error. Therefore, in terms ofpreventing an unnecessary increase in the number of bad blocks, it isdesirable that the SSDC 41 reserves, for each of blocks, an item of anerase error count for each block serving as the statistical informationX06 in the FBT 60 and the ABT 62, increments the item when an eraseerror of the block occurs, and registers the block in the BBT 61 whenthe erase error count for each block increases to be equal to or largerthan a predetermined value. More desirably, to set only a physical blockin which erase errors continuously occur as a bad block, the SSDC 41provides an item of “erase count continuous errors for each block”instead of the “erase error count for each block”, increments the itemwhen an erase error of a block occurs, resets the item to zero whenerasing can be performed without an error, and registers the block inthe BBT 61 when the “erase count continuous errors for each block”increases to be equal to or larger than a predetermined value.

Subsequently, to find whether an LBA designated in the write command isin an unwritten state, the SSDC 41 determines whether valid datacorresponding to the LBA is already stored in the NAND memory 16according to the forward lookup transformation procedure shown in FIG.16 (steps S145 and S146).

When the LBA is in the unwritten state (Yes at step S146), the SSDC 41writes reception data stored in the cache memory 46 in a free block(step S147), registers an ID of the written free block (a new physicalblock) and the erase count of the free block in the ABT 62, and deletesthe ID of the written physical block and the erase count of the freeblock from the FBT 60 (step S151). Then, the SSDC 41 divides an LBA ofthe reception data with a section in a track unit (a track section) anddetermines whether the track section is filled with data to determinewhether the LBA is managed in track unit or managed in cluster unit(step S152). That is, when the track section is filled with data, theLBA is managed in track unit and, when the track section is not filledwith data, the LBA is managed in cluster unit. When the LBA is managedin cluster unit, the SSDC 41 rewrites the cluster table 64, associates anew physical block ID with the LBA (step S153), rewrites the track table63, and associates an invalid physical block ID (e.g., null) with theLBA. When the LBA is managed in track unit, the SSDC 41 rewrites thetrack table and associates a new physical block ID with the LBA (stepS154).

On the other hand, when the LBA is not in the unwritten state at stepS146, the SSDC 41 reads, based on a physical block ID obtained by theforward lookup transformation, all data in a physical blockcorresponding to the physical block ID from the NAND memory 16 andwrites the data in the RAM 40 (step S148). Then, The SSDC 41 overwritesthe data the data stored in the cache memory 46 and the data, which isread from the NAND memory 16 and is written in the RAM 40, in the RAM 40(Step S149) and writes the combined data in a free block (Step S150).

When a Program Error occurs at step S150, the SSDC 41 adds the physicalblock ID to the BBT 61, deletes the physical block ID from the FBT 60,and executes the processing from step S141 again to acquire a free blockagain. Even in a physical block in which a Program Error occurs once, ifthe write operation is performed again, the physical block sometimes canbe normally written without causing a Program Error. Therefore, in termsof preventing an unnecessary increase in the number of bad blocks, it isdesirable that the SSDC 41 reserves, for each of blocks, an item of anumber of times of occurrence of Program Error for each block serving asthe statistical information X05 in the FBT 60 and the ABT 62, incrementsthe item when a Program Error of the block occurs, and registers theblock in the BBT 61 when a Program Error Count for each block increasesto be equal to or larger than a predetermined value. More desirably, toset only a physical block in which Program Errors continuously occur asa bad block, the SSDC 41 provides an item of “number of times of writecontinuous errors for each block” instead of the “Program Error Countfor each block”, increments the item when a Program Error of a blockoccurs, resets the item to zero when write can be performed without anerror, and registers the block in the BBT 61 when the “number of timesof write continuous errors for each block” increases to be equal to orlarger than a predetermined value.

The SSDC 41 registers an ID and the erase count of the written freeblock (a new physical block) in the ABT 62 and deletes the ID of thewritten physical block from the FBT 60 (step S151). When the LBA ismanaged in cluster unit, the SSDC 41 rewrites the old physical block IDof the cluster table 64 to the new physical block ID (steps S152 andS153). When the LBA is managed in track unit, the SSDC 41 rewrites theold physical block ID of the track table to the new physical block ID(steps S152 and S154). Further, the SSDC 41 adds the old physical blockID and the erase count of the old physical block ID to the FBT 60 anddeletes the old physical block ID and the number of times or erasing ofthe old physical block ID from the ABT 62 (step S155). The SSDC 41updates the statistical information 65 based on the write processingexplained above.

NAND GC

Usually, a total LBA capacity (a total logical sector count) of thestorage unit 2 is designed smaller than a total capacity of the NANDmemory 16 of the storage unit 2 (over provisioning). Therefore, freeblocks are not exhausted as long as the write operation continues to beperformed in a track unit. On the other hand, when a large number oftimes of write in a cluster unit take place for an unwritten LBA, aphysical block having a capacity larger than a cluster is allocated toone write in a cluster unit. Therefore, physical blocks of the NANDmemory 16 more than a data capacity to be written are necessary.Consequently, free blocks are likely to be exhausted. When free blocksare exhausted, a free block can be acquired anew trough arrangement ofthe NAND memory 16 explained below.

The NAND GC by the SSDC 41 is explained with reference to FIG. 21. Allclusters stored in a physical block are not always valid clusters. Aninvalid cluster not equivalent to a valid cluster is not mapped to theLBA. The valid cluster is a cluster in which latest data is stored. Theinvalid cluster is a cluster in which data of the same LBA is written inanother place and is not referred to. In the physical block, there is afree space for data by a space of the invalid cluster. A free block canbe acquired by executing the NAND GC for collecting data of the validcluster and rewriting the data in a different block.

First, the SSDC 41 sets a selected physical block ID=i to zero and setsa free space cumulative amount S to zero (step S160). The SSDC 41determines whether the physical block with the ID i=0 is entered in thetrack table 63 (step S161). When the physical block is entered in thetrack table, the SSDC 41 increments i by one (step S162) and performsthe same determination concerning a physical block having the next IDnumber (step S161). That is, when the physical block ID is included inthe track table 63, because data of the physical block is managed intrack unit, the data is not a NAND GC target.

When the physical block with ID=i is not managed in track unit (No atstep S161), the SSDC 41 refers to the cluster table 64 and acquires alladdresses of a valid cluster included in the physical block with ID=i(step S163). The SSDC 41 calculates a size v for a total capacity of theacquired valid cluster (step S164). When the size v is smaller than aphysical block size (Yes at step S165), the SSDC 41 adds an ID of thepresent physical block to a NAND GC target block list (step S166).Further, the SSDC 41 adds the acquired cluster capacity v of the presentphysical block to an acquired cluster cumulative amount S and updatesthe acquired cluster cumulative amount S (step S167).

When the size v is not smaller than the physical block size or theacquired cluster cumulative amount S does not reach the physical blocksize at step S168, the SSDC 41 increments i by one (step S162) andexecutes the procedure at steps S161 to S167 in the same mannerconcerning a physical block having the next ID number. The SSDC 41repeats the procedure at steps S161 to S167 until the acquired clustercumulative amount S reaches the physical block size at step S168.

When the acquired cluster cumulative amount S reaches the physical blocksize at step S168, the SSDC 41 reads data of all valid clustersconcerning all physical blocks on the NAND GC target block list andwrites the data in the RAM 40 (step S169), erases all physical blocks onthe NAND GC target block list (step S170), and deletes the erased allphysical blocks from the ABT 62 and adds the physical blocks to the FBT60 (step S171). Then, the SSDC 41 increments the erase count. A targetof the erasing processing performed at step S170 can be limited to ablock in which data is written at step S172. This is desirable in termsof suppressing the erase count of blocks.

When an erase error occurs, the SSDC 41 adds the physical block ID tothe BBT 61 and deletes the physical block ID from the FBT 60. Even in aphysical block in which an erase error occurs once, if the erasing isperformed again, the physical block sometimes can be normally erasedwithout causing an erase error. Therefore, to prevent an unnecessaryincrease in the number of bad blocks, it is desirable that the SSDC 41reserves, for each of blocks, an item of “Erase Error Count for eachblock” in the FBT 60 and the ABT 62, increments the item when an eraseerror of the block occurs, and registers the block in the BBT 61 whenthe Erase Error Count for each block increases to be equal to or largerthan a predetermined value. More desirably, to set only a physical blockin which erase errors continuously occur as a bad block, the SSDC 41reserves an item of “erase count continuous errors for each block”instead of the “Erase Error Count for each block”, increments the itemwhen an erase error of a block occurs, resets the item to zero whenerasing can be performed without an error, and registers the block inthe BBT 61 when the “erase count continuous errors for each block”increases to be equal to or larger than a predetermined value.

The SSDC 41 acquires a new free block from the FBT 60, writes, in theacquired free block, data written in the RAM 40 (step S172), adds aphysical block ID of the free block, in which the data is written, andthe erase count of the block to the ABT 62, and deletes the block ID ofthe block, in which the data is written, from the FBT 60 (step S173).Further, the SSDC 41 updates a cluster address, a physical block ID, andan intra-physical block page address in the cluster table 64 tocorrespond to the NAND GC of this time (step S174). The SSDC 41 updatesthe statistical information 65 based on processing contents of the NANDGC.

When a Program Error occurs at step S172, the SSDC 41 adds the physicalblock ID to the BBT 61, deletes the physical block ID from the FBT 60,and acquires a free block again. Even in a physical block in which aProgram Error occurs once, if the write operation is performed again,the physical block sometimes can be normally written without causing aProgram Error. Therefore, to prevent an unnecessary increase in thenumber of bad blocks, it is desirable that the SSDC 41 reserves, foreach of blocks, an item of “Program Error Count for each block” in theFBT 60 and the ABT 62, increments the item when a Program Error of theblock occurs, and registers the block in the BBT 61 when the “ProgramError Count for each block” increases to be equal to or larger than apredetermined value. More desirably, to set only a physical block inwhich Program Errors continuously occur as a bad block, the SSDC 41reserves an item of “number of times of write continuous errors for eachblock” instead of the “Program Error Count for each block”, incrementsthe item when a Program Error of a block occurs, resets the item to zerowhen write can be performed without an error, and registers the block inthe BBT 61 when the “number of times of write continuous errors for eachblock” increases to be equal to or larger than a predetermined value.

In the procedure shown in FIG. 21, the NAND GC for preferentiallyfilling data in a free block is performed. However, the NAND GC forpreferentially acquiring a free block can be performed by calculating vby subtracting the capacity of a cluster acquired from a physical blocksize at step S164, determining whether v is smaller than 0 at step S165,shifting to step S168 when v is smaller than 0, and shifting to stepS163 when v is not smaller than 0.

Delete Notification

The delete notification processing by the SSDC 41 is explained withreference to FIG. 22. The delete notification is a command transmittedfrom the information processing device 111 to the storage unit 2 and thestorage unit 3 when deletion of data is performed by the OS 100 on theinformation processing device 111. A command used for the deletenotification processing is generally called trim command. Examples ofthe trim command include

Deallocate of a 06h Data Set Management command described in Informationtechnology ATA/ATAPI Command Set-3 (ACS-3) and a 09h Data Set Managementcommand described in NVM Express Revision 1.1. The delete notificationprocessing is a system in which, when data is deleted on the OS 100 oron a file system, a logical address area (an LBA area) where the deleteddata is present is notified to a storage device as an LBA Range Entryincluding a set of an LBA and the number of sectors, whereby the areacan be treated as a free area on the storage unit 2 and the storage unit3 as well. The SSDC 41 can acquire a free block anew according to thedelete notification. A function of the trim command can be realized bynot only the command but also, for example, SCT Command Transportdescribed in Information technology ATA/ATAPI Command Set-3 (ACS-3), a08h Write Zeroes command described in NVM Express Revision 1.1, andother commands such as a vendor unique command.

When the storage unit 2 and the storage unit 3 receive a deletenotification from the information processing device 111 (step S180), theSSDC 41 subjects an LBA designated in the delete notification to forwardLBA lookup transformation according to the procedure shown in FIG. 16.When the LBA included in the delete notification is managed in trackunit (Yes at step S181), the SSDC 41 adds a physical block ID to the FBT60 and deletes the physical block ID from the ABT 62 (step S184). On theother hand, when the LBA included in the delete notification is managedin cluster unit (No at step S181), the SSDC 41 deletes all clusterscorresponding to the physical block from the cluster table 64 (stepS182), writes an appropriate valid value (e.g., FFFF) in a physicalblock ID corresponding to a track corresponding to the LBA in the tracktable 63 (step S183), and adds the physical block ID to the FBT 60 anddeletes the physical block ID from the ABT 62 (step S184). The SSDC 41can acquire a free block trough the delete notification processing otherthan the NAND GC.

Usually, the number of free blocks sufficient for write can be acquiredby the NANG GC. When the number of free blocks sufficient for writecannot be acquired even by the NAND GC, it is desirable that the SSDC 41sets the NAND GC Error Flag of the statistical information 65 to 1 andnotifies the information processing device 111 that a free block cannotbe acquired through the acquisition of the statistical information 65 bythe information processing device 111. For example, to give a margin totime from the time when the NAND GC Error Flag changes to 1 until thestorage unit 2 actually stops operating, it is desirable to set a NANDGC failure flag to 1 when a condition (number of free blocks after theNAND GC is performed)<(number of free blocks necessary forwrite)+(margin) is satisfied and notify the information processingdevice 111 of the failure in acquisition of a free block as reliabilityinformation.

The NAND GC can be executed not only when a write request is receivedfrom the information processing device 111 but also, for example, when apredetermined time elapses after a command is received last from theinformation processing device or when a command for shift to a standby,idling, or sleep state is received from the information processingdevice 111 or can be executed, for example, when the SSDC 41 receives acommand for staring the NAND GC from the information processing device111 through SCT Command Transport described in ACS-3, other vendorcommands, or the like.

Error Processing

The error processing concerning the NAND memory 16 by the SSDC 41 isexplained with reference to FIG. 23. Various kinds of processing such asthe processing for a write request from the information processingdevice 111 and the NANG GC processing are usually performed as explainedabove. However, in some case, for example, a Program Error occurs in awrite operation (a program operation) for the NAND memory 16, an eraseerror occurs in an erase operation for the NAND memory 16, or an ECCerror (a failure in the error correction processing) occurs in a readoperation for the NAND memory 16. In this case, exception handling forthe error is necessary.

When any one of the errors occurs (step S190), the SSDC 41 adds aphysical block in which the error occurs to the BBT 61 (step S191) anddeletes the physical block in which the error occurs from the ABT 62 andthe FBT 60 (step S192) to make is impossible to thereafter access thephysical block in which the error occurs. Then, the SSDC 41 can copydata of the physical block in which the error occurs to another physicalblock. The SSDC 41 updates the statistical information 65 based on theerror processing.

The examples of the error processing are explained above concerning theread processing, the write processing, and the NAND GC processing.However, the error processing is not limited to the examples and can beapplied to all kinds of read processing, write processing, and erasingprocessing for the NAND memory 16.

Processing for Determining Life End

While the information processing device 111 is using the storage unit 2,values stored in the statistical information 65 are deteriorated and thestorage unit 2 has reached the life end. For example, while theinformation processing device 111 is using the storage unit 2, theblocks of the NAND memory 16 are deteriorated in reliability, the numberof bad blocks increases, and a sum of the number of free blocks and thenumber of active blocks decreases. Further, when the informationprocessing device 111 is using the storage unit 2, even if the SSDC 41executes the NAND GC, the number of free blocks sufficient forperforming the write processing cannot be acquired. This is an exampleof a life end of the storage unit 2. In the following explanation,processing by the control program 200 performed when the life end of thestorage unit 2 ends is explained.

When started, the control program 200 resides in the main memory 6 andmonitors reliability information such as the statistical information 65of the storage unit 2. To always monitor the statistical information 65of the storage unit 2, it is desirable that the control program 200 isread from the area 16B (or the area 20B) to the area 6B when orimmediately after the OS 100 is read from the area 16B (or 20B) to thearea 6A (see FIGS. 2 and 3).

For example, as shown in FIG. 24, the control program 200 acquiresreliability information such as the statistical information 65 from thestorage unit 2 at every fixed time (e.g., at every one minute) or ineach fixed number of times of processing (e.g., at every 100 accesses tothe storage unit 2 or at each 10 GB of data received by the storage unit2). It is possible to perform more robust protection of user data byincreasing a frequency of acquisition of the reliability information asthe storage unit 2 is closer to the life end. As a method of acquiringstatistical information, for example, a B0h/D0h SMART READ DATA commandor a B0h/D5h SMART READ LOG command, which is a command of S.M.A.R.T(Self-Monitoring Analysis and Reporting Technology) used as a selfdiagnosis function for a memory, described in INCITS ACS-3 can be used.A 02h Get Log Page command described in NVM Express Revision 1.1 can beused. A SCT Command Transport described in ACS-3 or other vendor uniquecommands can be used. A 4Dh LOG SENSE command described in SCSI PrimaryCommands-4 (SPC-4), INCITS T10/1731-D, and Revision 36e(http://www.t10.org/) can be used.

In an example shown in FIG. 27, the SSDC 41 generates table data basedon the statistical information 65 or directly stores table data in thestatistical information 65 and transmits the table data to theinformation processing device 111 as reliability information. When usingthe S.M.A.R.T as the statistical information 65, as shown in FIG. 27,the SSDC 41 allocates an attribute ID to each of components of thestatistical information 65. The SSDC 41 can allocate the attribute ID toonly a part of the components of the statistical information 65.Concerning a component, a value of which increases as reliability isfurther deteriorated, among the components of the statisticalinformation 65, the SSDC 41 calculates, for example, an attribute value,which is a value standardized as explained below.

attribute value=SMAL+SMAB×(1−AMALR)×(RMAX-Raw Value)/RMAX

Raw Value is a value itself stored in the statistical information 65.RMAX is an upper limit value of the Raw Value for enabling guarantee ofreliability. SMAB is a parameter set in advance as an initial value ofthe attribute value. For example, 100 is set as SMAB. SMAL (=attributeThreshold) is a value that the attribute value should reach when the RawValue is equal to the upper limit value RMAX and is a parameter set inadvance. For example, 30 is set as the SMAL. AMALR is a parameterderived from a relation AMALR=SMAL/SMAB and is equal to or larger than 0and smaller than 1. In this way, the SSDC 41 calculates the attributevalue of SMART information (“Value” in FIG. 27) and transmits theattribute value to the control program 200. The attribute Threshold is“Threshold” in FIG. 27. The Raw Value is “Raw Data” in FIG. 27.

For example, when the SSDC 41 uses the average erase count (thestatistical information X04) as the Raw Value, if the present averageerase count is 1000, Raw Data=1000. If the maximum erase count forenabling guarantee of the reliability of the NAND memory 16 is assumedto be 10000, RMAX=10000. If the SSDC 41 is designed to set an initialvalue of the attribute value to 100 in an initial state of the erasecount=0, SMAB=100. When the erase count reaches RMAX=10000, theattribute value reaches SMAL.

Concerning a component, a value of which decreases as reliability isfurther deteriorated, among the components of the statisticalinformation 65, the SSDC 41 calculates, for example, an attribute value,which is a value standardized as explained below.

attribute value=SMAL+SMAB×(1−AMALR)×(Raw Value−RMIN)/(RINIT−RMIN)

RMIN is a lower limit value of the Raw Value for enabling guarantee ofreliability. RINIT is an initial value of the Raw Value.

Different values can be respectively adopted as the RMAX, the AMALR, andthe SMAB for X01 to X32. When AMALR=0.3 is adopted at SMAB=100, a bestvalue of the attribute value is 100 (e.g., 100 immediately aftershipment) concerning statistical information to be adopted. When theattribute value gradually decreases as reliability is furtherdeteriorated and the storage unit 2 cannot be guaranteed in reliability(the Raw Value of the statistical information is equal to or larger thanRMAX) or the storage unit 2 is about to reach the life end, theattribute value reaches 30 or a smaller value. The control program 200can use B0h/DAh SMART RETURN STATUS, which is a command described inACS-3, as means for detecting whether the Attribute Value exceeds theThreshold and determine, from an output of the command, the life endaccording to whether the Attribute Value exceeds the Threshold.

It is desirable that a manufacturer of the storage unit 2 derives arelation between the Raw Value of the statistical information and afraction defective of the storage unit 2 in a development stage as shownin FIG. 28 and adopts, as the RMAX, the Raw Value at the time when thefraction defective exceeds an allowable value. For example, themanufacturer only has to perform, in the development stage of thestorage unit 2, an abrasion test for verifying whether written datacontinues to be correctly stored for a fixed time or more whilerepeating a write operation at high temperature for a group of a largenumber of (e.g., one hundred) storage units 2 for test and, at the sametime, continue to monitor the statistical information, and adopt, as theRMAX, the Raw Value of the statistical information at a point when thefraction defective reaches a fixed ratio. The manufacturer only has toleave the worn storage unit 2 untouched in a high-temperature state fora certain time or more, thereafter lower the temperature of the storageunit 2, perform a read operation for the storage unit 2, and, when readdata cannot be subjected to ECC correction (or there are a fixed numberor more of data that cannot be subjected to ECC correction), define thisas a failure of the storage unit 2, and adopt, as a fraction defective,a value obtained by dividing the number of failures by the number ofstorage units 2 for which equivalent tests are performed. Themanufacturer only has to adopt, the Raw Value, the fraction defective ofwhich is significantly lower than the allowable fraction defectivestatistically, as the RMAX. The manufacturer can give a certain degreeof margin to the RMAX and adopt, as the RMAX, RMAX′=RMAX−margin

The manufacturer can adopt “Worst” in FIG. 27 as an index for adiagnosis of the life end of the storage unit 2 by the control program200. “Worst” is calculated by the SSDC 41 as a worst value of theattribute value. For example, the Worst is a minimum value of theattribute value, for example, after shipment (or after manufacturing) ofthe storage unit 2. Alternatively, the manufacturer can adopt, as theWorst, a minimum value of the attribute value in a fixed time range inthe past or can adopt, as the worst value, a minimum value in a periodfrom the past when communication or processing was performed a certainfixed number of times (by a fixed data amount) to the present.

The manufacturer can adopt “Raw Data” (Raw Value) in FIG. 27 as aspecification for a diagnosis of the life end of the storage unit 2 bythe control program 200. The Raw Value of the statistical information istransmitted from the storage unit 2 to the control program 200 as theRaw Data. Then, the control program 200 already retains the RMAX in thecontrol program 200, separately reads the RMAX from the storage unit 2,or reads the RMAX from another storage device to acquire the RMAX,compares the RMAX and the Raw Data, and, when Raw Data>RMAX or Raw DataRMAX, determines that the storage unit 2 has reached the life end. Forexample, in the case of the NAND GC failure flag, when the NAND GCfailure flag is 1, the control program 200 determines that the storageunit 2 has reached the life end. For example, in the case of the totalbad block count, when the total bad block count exceeds a predeterminedvalue, the control program 200 determines that the storage unit 2 hasreached the life end. As the Raw Data transmitted from the storage unit2 to the information processing device 111, the Raw Value of thestatistical information does not always need to be output. For example,the SSDC 41 can transmit, as the Raw Data, a value obtained bysubjecting the Raw Value of the statistical information to the fourarithmetic operations to the control program 200. The control program200 can compare the Row Data with a value obtained by subjecting theRMAX to the four arithmetic operations to determine whether the storageunit 2 has reached the life end. The SSDC 41 can transmit, as the RawData, hashed data obtained by, for example, encrypting the Raw Value ofthe statistical information to the control program 200. The controlprogram 200 can decrypt the Raw Data and compare the Raw Data with theRMAX of the data after the decryption to determine whether the storageunit 2 has reached the life end.

As explained above, the control program 200 determines whether thestorage unit 2 has reached the life end (whether the storage unit 2 isin an abnormal state). When the control program 200 determines that thestorage unit 2 has reached the life end (when the control program 200determines that the storage unit 2 is in the abnormal state), thecontrol program 200 shifts to life end processing (step S205) explainedbelow. The statistical information 65 can adopt various forms other thanthe statistical information X01 to X32. The present invention can beapplied to these forms as well. The present invention can be applied notonly when a positive correlation is present in a relation between thestatistical information and the fraction defective but also when anegative correlation is present in the relation between the statisticalinformation and the fraction defective. The statistical information is,for example, a lowest temperature experienced by the storage unit 2after shipment. Then, the control program 200 only has to adopt a lowerlimit value RMIN for enabling guarantee of reliability instead of theRMAX and, when the statistical information falls below the RMIN,determine that the storage unit 2 has reached the life end.

In this embodiment, the control program 200 acquires the statisticalinformation at every fixed time (e.g., at every one minute) usingS.M.A.R.T as shown in FIG. 24 (Yes at step S200). The control program200 transmits B0h/D0h SMART READ DATA described in ACS-3, which is astatistical information acquisition command, to the storage unit 2 (stepS201), receives data including the statistical information from thestorage unit 2 (step S202), and diagnoses the received data (step S203).A diagnosis method is as explained above. When the control program 200determines at step S204 that the storage unit 2 has reached the life endor when the control program 200 determines that the storage unit 2 isabout to reach the life end (Yes at step S204), the control program 200shifts to the life end processing (step S205). Even if the storage unit2 has not reached the life end, for example, when the statisticalinformation exceeds the RMAX set in advance or indicates an abnormalvalue, which is impossible in a normal operation, it is also desirablethat the control program 200 shifts to the processing at step S205.

The control program 200 can perform the life end determination using,besides the SMART, Solid State Device Statistics (Log Address 04h, logpage 07h) described in ACS-3 that can be acquired from the storage unit2. For example, when the control program 200 determines that a value ofPercentage Used Endurance Indicator of Offset 8-15 exceeds 100%, thecontrol program 200 can shift to the life end processing.

The control program 200 can perform the life end determination using,besides the SMART, Identify Device Data that can be acquired accordingto an ECh IDENTIFY DEVICE command described in ACS-3. For example, whenthe control program 200 determines that a flag is set in a specific bitin the Identify Device Data, the control program 200 can shift to thelife end processing. In particular, if the storage unit 2 is a SSD thatadopts the invention of the Patent Literature 3, when the SSDC 41 shiftsto a read only mode, the SSDC 41 can set a flag in a specific bit in theIdentify Device Data. Consequently, the control program 200 can acquirethe Identify Device Data to recognize that the storage unit 2transitions to the read only mode and can shift to the life endprocessing.

The control program 200 can perform a life prediction for the storageunit 2 using life prediction technologies disclosed in Patent Literature22 and the Patent Literature 23 and, when determining that the life endof the storage unit 2 is about to end in a fixed period, shift to thelife end processing.

The control program 200 can shift to the life end processing usingreliability information other than the statistical information 65. Forexample, as shown in FIG. 29, the control program 200 acquires(monitors), from the OS 100, the response information (see FIG. 7)received by the OS 100 from the storage unit 2 and uses the responseinformation as the reliability information (step S210). When theresponse information is an error response (step S211), the controlprogram 200 determines that the storage unit 2 reaches an abnormalstate. The control program 200 shifts to the life end processing (stepS205). A response to be monitored can be a response to any command.However, it is desirable in terms of a reduction in a load on the CPU 5to monitor only responses to write commands to the storage unit 2 suchas 61h WRITE FPDMA QUEUED and 35h WRITE DMA EXT described in ACS-3 and01h Write command described in NVM Express Revision 1.1. In particular,if the storage unit 2 is a SSD that adopts the invention of PatentLiterature 3, when the storage unit 2 has reached the life end, aresponse to the write command to the storage unit 2 is returned as anerror. Therefore, it is possible to determine the life end withoutacquiring the statistical information. Naturally, the present inventioncan be applied when the storage unit 2 is not the SSD that adopts theinvention of Patent Literature 3.

If the storage unit 2 is the storage unit 2 that adopts the invention ofPatent Literature 3, in a state in which the storage unit 2 returns anerror in response to the write command, in rewriting of a Boot Loaderarea of the storage unit 2 explained below, it is desirable that theSSDC 41 is configured not to return an error in response to a specialwrite command (e.g., SCT command Transport described in ACS-3 and othervendor unique commands) in a Read Only mode state of Patent Literature 3and write is performed in the storage unit 2 using the special writecommand. The special write command does not have to be used for write ina storage device other than the storage unit 2. Alternatively, if the OS100 is an OS that uses only a certain write command (e.g., 61h WRITEFPDMA QUEUED) as the write command, the SSDC 41 can be configured to,when the SSDC 41 reaches Read Only of Patent Literature 3, return anerror in response to the write command (e.g., 61h WRITE FPDMA QUEUED) 3,not return an error in response to another write command (e.g., 30hWRITE SECTOR(S)) and perform write of a Boot Loader area in the storageunit 2 using another write command (e.g., 30h WRITE SECTOR(S)).

Naturally, the command to be monitored can be a command other than thewrite command. For example, as a command response, a response (output)or a report to a B0H/D4H SMART EXECUTE OFF-LINE IMMEDIATE commanddescribed in ACS-3 can be monitored or a response to 90h EXECUTE DEVICEDIAGNOSTIC can be monitored. For example, the control program 200 canshift to the life end processing using a result of a self-test of theSMART acquired from the storage unit 2. The control program 200transmits a B0h/D4h SMART EXECUTE OFF-LINE IMMEDIATE command describedin ACS-3 to the storage unit 2, whereby the SSDC 41 executes theself-test. The control program 200 transmits B0h/D0h SMART READ DATA anda B0h/D5h SMART Read Log command described in ACS-3 to the storage unit2 to acquire a result of the self-test as the reliability information.For example, when an error is included in the acquired result of theself-test, the control program 200 determines that the storage unit 2has reached the life end.

Even if a certain command response is an error response, if the commandis transmitted again, it is likely that a command response is not anerror. Then, because it is likely that the storage unit 2 has notreached the life end, in terms of performing the life end processingonly when a command error having reproducibility occurs, it is desirableto perform the life end processing when the command error occurs aplurality of times. Further, in terms of strictly determining errorreproducibility, it is desirable to perform the life end processing whenthe command error continuously occurs a plurality of times.Alternatively, as shown in FIG. 30, when an error response is receivedas a response to a command during monitoring of a command to the storageunit 2 (step S220 and Yes at step S221), the control program 200 or theOS 100 can transmit the command to the storage unit 2 again (commandretry) (step S222) and, when an error response is received as a responseto the retried command (Yes at step S223), perform the life endprocessing (step S205).

The control program 200 can shift to the life end processing usingreliability information acquired from the information processing device111. For example, when a thermometer is set in the informationprocessing device 111, the control program 200 can monitor temperatureoutput from the thermometer and, when the temperature exceeds an upperlimit value or falls below a lower limit value, perform the life endprocessing as reliability deterioration time processing.

Data Configuration of in a Normal State

FIG. 31 is a configuration example of data managed by the informationprocessing device 111 before the life end processing S205 is performed.As explained above, the information processing device 111 transmits adata read or a write command to the storage unit 2 designating an LBA,which is a logical address, rather than requesting the storage unit 2 toread or write data directly designating a physical address of the NANDmemory 16. The SSDC 41 in the storage unit 2 dynamically maps the LBAand a physical address of the NAND memory 16 based on mappinginformation stored in the management information 44. In this way, datathat can be directly managed by the information processing device 111 ismanaged according to the LBA. As an address space that can be managed bythe information processing device 111, an LBA area 2001 is mapped to thestorage unit 2. The LBA area 2001 includes a Boot Loader area 2002, ametadata area 2003, and a user data area 2004. A part of the areas canbe allocated to an area other than the LBA area such as a log pageaddress accessible by a SMART Read Log command or a Read Log command ofACS-3. The storage unit 2 is allocated to the logical drive 4.

The Boot Loader area 2002 is an area read during the start of theinformation processing device 111. In this embodiment, the Boot Loaderarea 2002 is allocated to a fixed area of the LBA. However, theinformation processing device 111 can dynamically allocate the BootLoader area 2002. As an example of the Boot Loader area, for example,there is a Master Boot Record (MBR). In the MBR, for example, an area ofone logical sector in total (512 Bytes in total) of LBA=0x000 isallocated as the fixed Boot Loader area. As an example of the BootLoader area, for example, there is a GUID partition table (GPT). In thisembodiment, the Boot Loader area 2002 includes, as shown in FIG. 32, ametadata pointer area 2005 in which a head LBA of the metadata area 2003is stored, a status storage area 2006 in which a storage status isstored, and an address area 2007 (a data migration target managementarea 2007) in which a data migration target storage device address isstored. For example, when the storage unit 2 is a data migration sourceand the storage unit 3 is a data migration destination, a storage unitidentification name of the storage unit 3 is stored in the datamigration target management area 2007 of the storage unit 2 and astorage unit identification name of the storage unit 2 is stored in adata migration target management area 3007 of the storage unit 3. Inthis embodiment, data stored in the status storage area 2006 can takevalues 0 to 5. The respective values indicate states of a storage unitat a storage destination as follows:

0: initial storage state

1: normal state

2: low reliability state

3: data migration source state (protected state)

4: data migration destination state

5: discard target state

The information processing device 111 reads the pointer 2005 whenstarted, specifies an LBA of the metadata area 2003, and reads themetadata 300 from the metadata area 2003 of the LBA area 2001 to ametadata area 6C of the main memory 6. When rewriting of a file takesplace, the OS 100 rewrites the metadata 300 of the metadata area 6C ofthe main memory 6, periodically backs up the metadata 300 of themetadata area 6C in the metadata area 2003 of the storage unit 2, andsequentially records a journal of the metadata 300 in the metadata area2003 of the storage unit 2.

FIG. 33 is a configuration example of the metadata 300. A file ID is anaddress or a file name of data used by the application program 400 toidentify the data. A logical drive address is an address allocated toeach of logical drives used for specifying the logical drive 4 (seeFIGS. 31 and 38). A storage unit identification name is an addressallocated to a physical storage device used for specifying a physicalstorage device such as the storage unit 2 or the storage unit 3. In thisembodiment, a WWN (World Wide Name) is used as the storage unitidentification name. Because different values are respectively allocatedto storage devices as the WWN, the WWN can be used to distinguish thephysical storage device. The WWN is stored in, for example, Word108-111of data read by an ECh Identify Device command described in ACS-3.Alternatively, as the storage unit identification name, for example, aserial number allocated to Word10-19 of data read by the ECh IdentifyDevice command described in ACS-3 can be used, a Serial Number (SN)allocated to Byte23:04 of data read by a 06h Identify command describedin NVM Express Revision 1.1 can be used, or a MAC (Media Access Control)address or an IP (Internet Protocol) address in a network protocol canbe used. The storage unit identification name can be written in astorage device in advance during manufacturing of the storage device orcan be allocated anew by the information processing device 111 when thestorage device is connected to the information processing device 111. AnLBA address of the user data area 2004 mapped by the metadata 300 isstored in the LBA of the metadata 300. An LBA of an area other than theuser data area 2004 such as an LBA of the metadata area 2003 or the BootLoader area 2002 can be stored in the LBA of the metadata 300. A sectorcount indicates a data length.

The metadata 300 is used by the OS 100 to forward-look up the storageunit identification name, the LBA, and the sector count from the file IDand the logical drive address or used by the OS 100 to reverse-look upthe logical drive address and the file ID from the storage unitidentification name, the LBA, and the sector count. Usually, theapplication program 400 directly designates the storage unit 2 and theLBA and does not perform read from and write in the storage unit and thestorage device. The OS 100 recognizes (mounts) the storage unit 2 as thelogical drive 4. When the application program 400 transmits the logicaldrive address and the file ID to the OS 100, the OS 100 reads themetadata 300, specifies a storage unit and an LBA corresponding to thelogical drive and the file ID, and transmits a command and the LBA tothe storage unit.

The logical drive is allocated to one or a plurality of physical drives,which is lower order layers, or an LBA area in a part of the physicaldrives by the OS 100 and the control program 200 shown in FIG. 7.Consequently, the application program 400, which is a higher orderlayer, virtually recognizes the logical drive as one drive. In thisembodiment, in a state before the life end processing S205, the logicaldrive 4 is allocated to the storage unit 2, which is as a physicalstorage device. Even in the state before the life end processing S205, astorage array of Redundant Arrays of Inexpensive Disks (RAID), forexample, a storage array of RAID0 or RAID5 can be configured using aplurality of physical storage devices. The storage array can berecognized as one logical drive 4. The present invention can also beapplied in that case.

FIG. 34 is a flowchart of a procedure performed when the applicationprogram 400 transmits an access request to the logical drive 4 to the OS100. When the application program 400 transmits an access request (e.g.,a file read request or a file write request), a logical drive address,and a file ID to the OS 100 (step S300), the OS 100 reads the metadata300 from the metadata area 6C (step S301). The OS 100 forwardlookup-transforms the logical drive address and the file ID into astorage unit identification name and an LBA (step S302) and transmits acommand and the LBA to a storage unit corresponding to the storage unitidentification name (step S303). The storage unit performs a writeoperation in the user data area 2004 and a read operation from the userdata area 2004 according to the command and transmits a response or datato the OS 100 (step S304). The OS 100 receives the response and the datafrom the storage unit and transmits a response and the data to theapplication program 400 and the processing ends (step S305).

In this embodiment, in a state before the life end processing S205concerning the storage unit 2 is performed, because the logical drive 4is configured from only the storage unit 2, all storage unitidentification names corresponding to the logical drive 4 in themetadata 300 are WWNs of the storage unit 2. On the other hand, as inbuilding of a RAID array in a logical drive, a plurality of storage unitidentification names can be allocated to one logical drive address inthe metadata 300 before the life end processing S205 is performed.

In the storage status area 2006, information concerning a storage unitfor the OS 100 is stored. FIG. 35 shows a processing procedure of thecontrol program 200 performed when the information processing device 111starts and when the storage unit is connected to the interface 19. Thecontrol program 200 reads the storage status area 2006 of the BootLoader area 2002 of the storage unit through the interface 19 andchanges, according to a read value, a state of the storage unit notifiedto the OS 100. When a storage status is 0 (step S311), the controlprogram 200 notifies the OS 100 that the storage unit is an initialstorage unit. The OS 100 recognizes the storage unit as the initialstorage unit (step S312). During factory shipment of the storage unit orwhen the information processing device 111 erases the storage unit byusing a F4h Security Erase Unit command of ACS-3, a 80h Format NVMcommand of NVM Express Revision 1.1, or the like, a value of the storagestatus area 2006 of the storage unit is changed to the storage status=0.When the information processing device 111 formats the storage unit, avalue of the storage status area 2006 of the storage unit is changed tothe storage status=0.

When the storage status is 1 (step S313), the control program 200notifies the OS 100 that the storage unit is in the normal state. The OS100 recognizes the storage unit as being in the normal state (stepS314). The storage status of the storage unit 2 before the life endprocessing S205 is the storage status=1.

When the storage status is 2 (step S315), the control program 200notifies the OS 100 that the storage unit is in the low reliabilitystate. The control program 200 recognizes the storage unit as being inthe low reliability state (step S316) and performs the life endprocessing S205.

When the storage status is 3 (step S317), the control program 200notifies the OS 100 that the storage unit is performing data migrationwork functioning as a data migration source. The OS 100 recognizes thestorage unit as being in a protected state (step S318).

When the storage status is 4 (step S319), the control program 200notifies the OS 100 that the storage unit is performing data migrationwork functioning as a data migration destination. The OS 100 recognizesthe storage unit as being in the data migration destination state (stepS320).

When the storage status is 5 (step S321), the control program 200notifies the OS 100 that the storage unit is in the discard targetstate. The OS 100 recognizes the storage unit as being in the discardtarget state (step S322). When the storage status is other than 0 to 5,it is desirable that the OS 100 regards the storage unit as anunauthorized storage unit and does not mount the storage unit (stepS323).

FIGS. 36 and 37 are state transition charts for explaining a life cycleof the storage unit. A value of the storage status area 2006 of thestorage unit immediately after manufacturing of the storage unit,immediately after shipping of the storage unit, immediately aftererasing of the storage unit, and immediately after formatting of thestorage unit is the storage status=0 indicating the initial storagestate (step S330). Thereafter, the storage status changes to the storagestatus=1 indicating the normal state, whereby the storage unit is usedas a normal storage unit by the OS 100 (step S331). As the storage unitis further deteriorated in reliability, the storage unit transitions tothe storage status=2 indicating the low reliability state (step S332).After transitioning to the storage status=3 indicating the protectedstate (step S333), the storage unit changes to the storage status=5indicating the discard target state (step S334). Then, finally, thestorage unit is discarded by an operator or an administrator of theinformation processing system 1.

FIG. 37 shows a life cycle of the storage unit recognized as being inthe data migration destination state on the information processingdevice 111. Then, after the initial storage state of the storage state=0at step S330, after transitioning to the data migration destinationstate (the storage status=4) (step S330 b), the storage unit in the datamigration source state is detached, whereby the storage unit is used inthe normal state of the storage status=1 (step S331).

FIG. 38 shows a state in which, when the storage unit 2 is recognized asbeing in the low reliability state, the storage unit 3 different fromthe storage unit 2 is connected. An LBA area 3001 is allocated to theconnected source unit 3 as an address space that can be managed by theinformation processing device 111. The LBA area 3001 includes a BootLoader area 3002, a metadata area 3003, and a user data area 3004.

When the storage unit 2 is recognized as being in the low reliabilitystate, as indicated by a broken line part of FIG. 39, the storage unit 3in the normal state already connected to the information processingdevice 111 can be recognized as being in the data migration destinationstate instead of a storage unit in the initial storage state beingrecognized as being in the data migration destination state when thestorage unit is connected to the information processing device 111.

Life End Processing (Processing at the End of the Storage Unit's Life)

A flowchart of processing performed by the control program 200 in thelife end processing S205 is shown in FIG. 40. When the connected storageunit 2 has reached the life end or is about to reach the life end andthe life end processing is started, the control program 200 determineswhether the storage status area 2006 of the Boot Loader area 2002 is inthe storage status=2 (the low reliability state) (step S340). When aresult of the determination is negative, the control program 200rewrites the storage status area 2006 to the storage status=2 (stepS341) and shifts the procedure to step S342. When the determinationresult at step S340 is affirmative, the control program 200 shifts theprocedure to step S342.

As at step S342, it is desirable that the control program 200 displays,on the display 9, a message for urging connection of a new storage unitsuch as “please connect a new storage unit to the interface 19”. Thecontrol program 200 determines whether a storage unit in the storagestatus=0 (the initial storage state) is connected (step S343).

When a new storage unit is connected (when the storage unit 3 isconnected), the control program 200 copies the Boot Loader area 2002 ofthe storage unit 2 to the Boot Loader area 3002 of the connected storageunit 3 in the storage status=0 (the initial storage state) (step S344,see FIG. 32). The control program 200 rewrites the storage status area3006 of the Boot Loader 3002 of the storage unit 3 to the storagestatus=4 (the data migration destination status) (step S345).

When a storage unit in the storage status=0 (the initial storage state)is already connected or when a storage unit in the storage status=1 (thenormal state) that can be allocated as the data migration destination isalready connected at the point of Yes at step S340 or at the point ofstep S341, the control program 200 can set the storage unit as thestorage unit 3, copy the Boot Loader area 2002 of the storage unit 2 tothe Boot Loader area 3002 of the storage unit 3, and rewrite the storagestatus area 3006 of the Boot Loader area 3002 of the storage unit 3 tothe storage status=4.

The control program 200 writes the storage unit identification name ofthe storage unit 2 in the data migration target management area 3007 ofthe Boot Loader area 3002 of the storage unit 3 (step S346). The controlprogram 200 rewrites the storage status area 2006 of the Boot Loaderarea 2002 of the storage unit 2 to the storage status=3 (the protectedstate) (step S347). The control program 200 writes the storage unitidentification name of the storage unit 3 in the data migration targetmanagement area 2007 of the Boot Loader area 2002 of the storage unit 2(step S346). Looking at the data migration target management area 2007of the storage unit 2 and the data migration target management area 3007of the storage unit 3, the user can recognize that the storage unit 2and the storage unit 3 are a pair for the data migration processing.

The control program 200 reads the latest metadata 300 from the mainmemory 6 or the metadata storage area 2003 of the storage unit 2, writesthe read latest metadata 300 in the metadata storage area 3003 of thestorage unit 3, and copies the latest metadata 300 (step S349). Thecontrol program 200 causes the OS 100 to recognize the storage unit 2and the storage unit 3 as one logical drive 4 (step S350). The controlprogram 200 updates the logical drive status table 450 in an area 6D onthe main memory 6 such that the status changes from the “normal state”to the “data migrating state” (step S351).

FIG. 41 shows the logical drive status table 450 stored in the area 6Dof the main memory 6. In the logical drive status table 450,correspondence between a plurality of logical drives and a plurality ofstatuses is managed. The control program 200 updates the logical drivestatus table 450 at any time based on a state (the normal state or thedata migrating state) of the logical drives.

In this embodiment, as shown in FIG. 38, according to the life endprocessing S205, the storage unit 2 and the storage unit 3 arerecognized as the logical drive 4 functioning as a singular logicaldrive. Read and write of data after the new storage unit 3 is connecteduntil the logical drive 4 is built using the storage unit 3 take placeat a degree equivalent to a data amount of the metadata 300 at most.Therefore, compared with time until the storage unit is replaced in theRAID storage array and mounted as the logical drive, mounting of thestorage unit 3 is performed at extremely high speed.

Before the life end processing S205, the metadata 300 in the metadataarea 6C of the main memory 6 and the journal of the metadata 300 isperiodically backed up in the metadata area 2003 of the data migrationsource storage unit 2 by the OS 100. However, after the life endprocessing S205, the metadata 300 in the metadata area 6C of the mainmemory 6 and the journal of the metadata 300 are periodically backed upin the metadata area 3003 of the data migration destination storage unit3 by the OS 100. Consequently, metadata close to the latest metadata isstored in the metadata area 3003. Old metadata before the life endprocessing S205 is stored in the metadata area 2003.

In the above explanation, the low reliability state of the storagestatus=2 is defined. However, when the control program 200 determines asa result of comparison of the reliability information and the thresholdthat the storage unit 2 has reached the life end, the control program200 can immediately shift the storage state of the storage unit 2 to thedata migration source state (the protected state) of the storagestatus=3 without shifting the storage status to the low reliabilitystate of the storage status=2. That is, when the life end processing isstarted, at step S340 in FIG. 40, the control program 200 determinewhether the storage status area 2006 of the Boot Loader area 2002 of thestorage unit 2 is the storage status=3 (the data migration sourcestate). When a result of the determination is negative, at step S341 inFIG. 40, the control program 200 rewrites the storage status area 2006to the storage status=3 and shifts the procedure to step S342. Thesubsequent procedure is the same as the procedure shown in FIG. 40except that step S347 is deleted.

Write in the Logical Drive

FIG. 42 shows a processing procedure of the OS 100 performed when a filedata write request is transmitted from the application program 400 tothe OS 100. The OS 100 receives a write request, a logical driveaddress, a file ID, and data from the application program 400 (stepS360). The OS 100 reads the logical drive status table 450 from the mainmemory 6 (step S361), reads the metadata 300 from the main memory 6(step S362), and allocates an LBA for data write referring to themetadata 300 (step S363).

The OS 100 determines whether a logical drive designated by a writecommand based on the logical drive status table 450 is in the normalstate or the data migrating state (step S364). When the logical drive isin the normal state, the OS 100 transmits a write command, the LBA, andwrite data to the storage unit 2 (step S365). The OS 100 receives aresponse from the storage unit 2 (step S366). The OS 100 updatesmetadata on the main memory 6 and maps a write file ID to the storageunit 2, the LBA, and a sector count (step S367). The OS 100 transmits aresponse to the application program 400 (step S371).

When the logical drive is in the data migrating state, the OS 100transmits a write command, the LBA, and write data to the data migrationdestination storage unit 3 (step S368). The OS 100 receives a responsefrom the storage unit 3 (step S369). The OS 100 rewrites the metadata onthe main memory 6 and maps a write file ID to the storage unit 3, theLBA, and a sector count (step S370). The OS 100 transmits a response tothe application program 400 (step S371). That is, when the logical driveis in the data migrating state, according to write in the data migrationdestination storage unit 3, the OS 100 updates the metadata on the mainmemory 6 such that addresses of stored data of the storage unit 2 andthe storage unit 3 are changed. Update processing for the metadata foran address of stored data involved in the write can be performedsimultaneously and in parallel with the write processing in the storageunit 3, can be performed in the write processing in the storage unit 3,can be performed before the write processing in the storage unit 3 isperformed, and can be performed after the write processing in thestorage unit 3 is performed.

File Delete Request to the Logical Drive

FIG. 43 shows a processing procedure of the OS 100 performed when a filedelete request is transmitted from the application program 400 to the OS100. The OS 100 receives a delete command, a logical drive address, anda file ID from the application program 400 (step S900). The OS 100 readsthe logical drive status table 450 from the main memory 6 (step S901),reads the metadata 300 from the main memory 6 (step S902), and forwardlookup-transforms the logical drive address and the file ID into astorage unit identification name and an LBA referring to the metadata300 (step S903). The OS 100 deletes a row in which a file ID of a deletetarget file is included from the metadata in the memory 6 or rewritesthe file ID of the delete target file on the metadata in the main memory6 with an invalid ID to delete the delete target file ID from themetadata 300 (step S904).

The OS 100 determines whether a logical drive designated by a deletecommand based on the logical drive status table 450 is in the normalstate or the data migrating state (step S905). When the logical drive isin the normal state, the OS 100 transmits a delete notification and anLBA to the storage unit 2 (step S906). The OS 100 receives a responsefrom the storage unit 2. The OS 100 transmits a response to theapplication program 400 (step S910).

When the logical drive is in the data migrating state, the OS 100determines whether the storage unit identification name after theforward lookup transformation is the data migration source storage unit2 or the data migration destination storage unit 3 (step S907). When thestorage unit identification name after the forward lookup transformationis the storage unit 2, the OS 100 transmits a delete notification and anLBA to the storage unit 2 (step S908), receives a response from thestorage unit 2, and transmits a response to the application program 400(step S910). When the storage unit identification name after the forwardlookup transformation is the storage unit 3, the OS 100 transmits adelete notification and an LBA to the storage unit 3 (step S909),receives a response from the storage unit 3, and transmits a response tothe application program 400 (step S910).

Data Read from the Logical Drive

FIG. 44 shows a processing procedure of the OS 100 performed when a readrequest for file data is transmitted from the application program 400 tothe OS 100. The OS 100 receives a read request, a logical drive address,and a file ID from the application program 400 (step S380). The OS 100reads the logical drive status table 450 from the main memory 6 (stepS381), reads the metadata 300 from the main memory 6 (step S382), andforward lookup-transforms the logical drive address and the file ID intoa storage unit identification name, an LBA, and a sector count for dataread referring to the metadata 300 (step S383).

When the storage unit identification name after the forward lookuptransformation designates the storage unit 2 (step S384), the OS 100transmits a read command, the LBA, and the sector count to the storageunit 2 (step S385). The OS 100 receives a response and read data fromthe storage unit 2 (step S386). The OS 100 transmits the read data and aresponse to the application program 400 (step S389).

When the storage unit identification name after the forward lookuptransformation designates the storage unit 3 (step S384), the OS 100transmits a read command, the LBA, and the sector count to the storageunit 3 (step S387). The OS 100 receives a response and read data fromthe storage unit 3 (step S388). The OS 100 transmits the read data and aresponse to the application program 400 (step S389). For example, whenLBA=0 indicates a data migrated state and LBA=1 indicates a dataun-migrated state, if read is performed with the LBA=0 and sectorcount=1, the read is performed from the storage unit 3 of the storageunit 2 and the storage unit 3, if read is performed with the LBA=1 andthe sector count=1, the read is performed from the storage unit 2 of thestorage unit 2 and the storage unit 3, and, if read is performed withthe LBA=0 and sector count=2, the read is performed from both of thestorage unit 2 and the storage unit 3.

In this way, write in the data migration source storage device isprohibited and data migration from the data migration source storagedevice to the data migration destination storage device is realizedusing write in the data migration destination storage unit 3. Therefore,backup work by the administrator, the operator, or the user of theinformation processing system 1 is unnecessary. In the data migration,copying of the user data 2004 is not performed. The data migration isperformed using new write processing of the user data 2004. Therefore,write processing performance of the application program 400 is notdeteriorated even during the data migration. After the life endprocessing S205, write processing that takes place in the storage unit 2is limited to only write processing in the storage status area 2006 atmost. Therefore, write processing in the storage unit 2 hardly takesplace. In this way, even after the life end processing S205 for thestorage unit 2, the logical drive 4 itself is recognized as a readableand writable drive for the application program 400. However, actually,for the information processing device 111, the storage unit 2 is treatedas if the storage unit 2 is a read only device.

Write Back Backup

When data in the data migration source storage unit 2 is read to thecache memory area in the main memory 6, the metadata 300 can be updatedto write the data read to the cache memory area in the data migrationdestination storage unit 3 (write back) and map a file ID of the data toa write destination LBA. This is explained below with reference to FIG.45.

The OS 100 receives a read request, a logical drive address, and a fileID from the application program 400 (step S400). The OS 100 reads thelogical drive status table 450 from the main memory 6 (step S401), readsthe metadata 300 from the main memory 6 (step S402), and forwardlookup-transforms the logical drive address and the file ID into astorage unit identification name, an LBA, and a sector count for dataread referring to the metadata 300 (step S403).

When the storage unit identification name after the forward lookuptransformation designates the storage unit 3 (step S404), the OS 100transmits a read command, the LBA, and the sector count to the storageunit 3 (step S409). The OS 100 receives a response and read data fromthe storage unit 3 (step S410). The OS 100 transmits the read data readfrom the storage unit 3 and a response to the application program 400(step S411).

When the storage unit identification name after the forward lookuptransformation designates the storage unit 2 (step S404), the OS 100transmits a read command, the LBA, and the sector count to the storageunit 2 (step S405). The OS 100 transmits a write command, the LBA, andthe sector count to the storage unit 3 (step S406). The OS 100 receivesa response and read data from the storage unit 2 (step S407). The OS 100transmits the data read from the storage unit 2 to the storage unit 3 tothereby perform background write for writing the date read from thestorage unit 2 in the storage unit 3 (step S408). The OS 100 transmitsthe data received from the storage unit 2 and a response to theapplication program 400 (step S412). The OS 100 updates the metadata onthe main memory 6 to map a write file ID to the storage unit 3, the LBA,and the sector count (step S413).

In this way, in the background of the data read from the logical drive 4to the information processing device 111, data migration to the storageunit 3 can be performed. The size of an LBA area in which backgroundbackup explained should be performed is reduced. A period from the startto the completion of the data migrating state is further reduced. Inparticular, in the read operation of the logical drive 4, the data readfrom the storage unit 2 and the data write back to the storage unit 3are performed in parallel, whereby data migration can be performed athigher speed.

Background Backup

The logical drive 4 is in the data migrating state in the logical drivestatus table 450, backup is performed in the background from the datamigration source storage unit 2 to the data migration destinationstorage unit 3 (background backup) when an access from the applicationprogram 400 and the OS 100 to the logical drive 4 hardly takes place(during idling). The control program 200 reads the metadata 300 from themain memory 6 and searches for a file ID mapped to the storage unit 2.If a file mapped to the storage unit 2 is present, the control program200 transmits a read command to the storage unit 2 to perform read froman LBA of the file and reads data. The control program 200 transmits awrite command and the read data to the LBA of the storage unit 3,performs write, rewrites the metadata 300 on the main memory 6, and mapsthe file ID to the storage unit 3.

Data Migration Completion Time

FIG. 46 shows an operation procedure of a control program at datamigration completion time. When a status of the logical drive 4 is the“data migrating state” in the logical drive status table 450 (stepS420), the control program 200 periodically reads the metadata 300 onthe main memory 6 (step S421) and periodically checks whether amigration target file ID mapped to the storage unit 2 is present (stepS422). For example, the control program 200 periodically checks whethera migration target file ID mapped to the storage unit 2 is present amongfile IDs of all files stored in the logical drive 4. When the migrationtarget file ID is present, because data migration is not completed yet,the control program 200 continues the status of the data migratingstate.

On the other hand, when the migration target file ID is absent, thecontrol program 200 rewrites the storage status area 3006 of the datamigration destination storage unit 3 to the storage status=1 (the normalstate) (step S423) and rewrites the area 2006 of the data migrationsource storage unit 2 to the storage status=5 (the discard target state)(step S424). The control program 200 separates the storage unit 2 fromthe logical drive 4, recognizes (mounts) only the storage unit 3 of thestorage unit 2 and the storage unit 3 as the logical drive 4 (stepS425), and rewrites a status of the logical drive 4 from the “datamigrating state” to the “normal state” in the logical drive status table450 (step S426).

Consequently, the storage unit 2 can be physically (mechanically)detached and can be discarded at any time. The storage unit 3 plays therole of the storage unit 2 before the life end processing S205.Thereafter, the storage unit 3 can be regarded as the storage unit 2.The data configuration of the information processing device 111 returnsto the state shown in FIG. 31, which is the data configuration beforethe life end processing S205.

To safely detach the storage unit 2 from the information processingdevice 111, after the storage unit 2 is separated from the logical drive4, it is desirable to transmit the E0h Standby Immediate command and thelike described in Information technology ATA/ATAPI Command Set-3 (ACS-3)to the storage unit 2 or change a register value of the storage unit 2by, for example, setting Shutdown Notification (CC.SHN) described in NVMExpress Revision 1.1 to 01b to transition the storage unit 2 to a statein which power supply interruption is possible.

To reduce the power consumption of the storage unit 2 that can bediscarded, after the storage unit 2 is separated from the logical drive4, state transition commands such as the E0h Standby Immediate commandand the E6h SLEEP command described in Information technology ATA/ATAPICommand Set-3 (ACS-3) can be transmitted to the storage unit 2, thepower supply to the storage unit 2 can be interrupted, the storage unit2 can be transitioned to a Partial state and a Slumber state describedin Serial ATA Revision 3.1 Gold Revision, a DEVSLP signal described in“Serial ATA Technical PropOSal: SATA31_TPR_C108 Title: Device Sleep” canbe activated to transition the storage unit 2 to a DevSleep state, orthe storage unit 2 can be transitioned to a D1 state, a D2 state, or aD3 state described in PCI Express Base Specification Revision 3.0 or canbe transitioned to an L1 state, an L2 state, or an L3 state described inPCI Express Base Specification Revision 3.0.

FIG. 47 is a conceptual diagram of a read state from the logical drive 4by the information processing device 111 in a state in which the storageunit 2 is in the storage status=3 (the protected state) and the storageunit 3 is in the storage status=4 (the data migration destinationstate). In the storages 2 and 3, LBAs at mapping sources do not overlap.In this state, data is read from at least one of the storage units 2 and3.

FIG. 48 is a conceptual diagram of a write state in the logical drive 4by the information processing device 111 in a state in which the storageunit 2 is in the storage status=3 (the protected state) and the storageunit 3 is in the storage status=4 (the data migration destinationstate). In this state, write is performed for only the storage unit 3 ofthe storage unit 2 and the storage unit 3. That is, the storage unit 2functions as if the storage unit 2 is a read only device. When data iswritten in the storage unit 3, old mappings to the storage unit 2 areinvalidated.

As explained above, when the storage unit 2 has reached the life end oris about to reach the life end according to this embodiment, onlyrewriting of the storage status area 2006 takes place as rewriting ofthe storage unit 2. Therefore, the rewrite processing is hardlyperformed and the storage unit 2 is treated as if the storage unit 2 isa read only device. On the other hand, the logical drive behaves as areadable and writable drive. Therefore, for the application program 400,the logical drive 4 behaves the same as before the life end. Datamigration of data from the storage unit 2 to the storage unit 3 occurswhen write in the logical drive 4 is requested from the applicationprogram 400 or the SS 100. The data migration is performed in a form oflogical data transition by data write processing from the applicationprogram 400 or the OS 100 to the storage unit 3 and metadata rewritingrather than copying of entity data from the storage unit 2 to thestorage unit 3. Consequently, the data migration of data from thestorage unit 2 to the storage unit 3 can be executed in the backgroundof normal data write from the application program 400 or the OS 100 tothe storage unit 2. In the logical data transfer, compared with thecopying of the entity data, a read processing amount and a writeprocessing amount in the NAND flash memory 16 are markedly small and aband use ratio of the interface 19 is markedly small. As explainedabove, the data migration processing in this embodiment is performed atmarkedly high speed compared with the backup processing in a comparativeexample in which processing for reading data from the storage unit 2 andwriting the data in the storage unit 3 is performed independently froman access from the application program 400 or the OS 100 to the logicaldrive 4. That is, a data migration time is substantially zero for an LBAin which write from the application program 400 or the OS 100 takesplace.

For an LBA in which write from the application program 400 or the OS 100does not take place, backup processing is separately necessary. However,unlike the backup processing and rebuilding of a RAID array in acomparative example in which data has to be copied before mounting of anew storage device, the backup processing can be performed in thebackground at idling time after the storage unit 2 and the storage unit3 are mounted. Therefore, it is possible to suppress performancedeterioration in the application program 400. Unlike the backupprocessing in the comparative example in which copying of user data isnecessary before mounting of a new storage device and rebuilding of alogical drive by a RAID or the like in which rebuilding of user data andparity data is necessary before mounting of a new storage device, in thelogical drive rebuilding involved in connection of a data migrationdestination storage device according to this embodiment, as shown inFIG. 40, only rewriting of the storage status area and the storage unitidentification name area and copying of the metadata area are necessary.Therefore, it is possible to perform the logical drive rebuilding atextremely high speed.

Second Embodiment

In the example explained in the first embodiment, the metadata 300stored in the main memory 6 is used as information for searching fordata migrated to the storage unit 3. Consequently, for example, when theOS 100 is requested by the application program 400 to read data of thelogical drive 4 with a file ID designated, by reading the metadata 300,the OS 100 can acquire information concerning from which of the storageunit 2 and the storage unit 3 data should be read and informationconcerning from which LBA data should be read. In an example explainedin the second embodiment, a data migration log area 550 stored in thestorage unit 3 is used as information for searching for data migrated tothe storage unit 3. For example, when the OS 100 is commanded by theapplication program 400 to read data of the logical drive 4, by readingthe data migration log area 550, the OS 100 can acquire informationconcerning from which of the storage unit 2 and the storage unit 3 datashould be read. In this embodiment, the application program 400transmits a read request and a write request to the OS 100 directlydesignating an LBA. The invention of this embodiment can also be appliedwhen the application program 400 transmits a read command and a writecommand to the OS 100 designating a file ID as in the first embodiment.Then, the control program 200 or the OS 100 can transform the file IDinto an LBA by reading the metadata 300. Read and write processingconcerning the transformed LBA is performed in the same manner as thisembodiment.

In FIG. 49, the configuration of the information processing system 1 inthe second embodiment is shown. The basic configuration of theinformation processing system 1 is the same as that in the firstembodiment. A logical drive is a logically built drive that the OS 100can recognize. A logical drive ID (a drive name, a volume number, alogical unit number, etc.) is allocated to the logical drive. The OS 100recognizes, as the logical drive, one or a plurality of storage unitsfunctioning as physical devices. The logical drive is divided intological sectors (logical blocks). LBAs are allocated to the respectivelogical sectors. The logical drive is allocated to one or a plurality ofphysical drives, which are lower order layers, and an LBA area in a partof the physical drives by the OS 100 and the control program 200 shownin FIG. 7. The OS 100 transforms an LBA of the logical drive and an LBAof the physical drive each other. The application program 400, which isa higher order layer, virtually recognizes the logical drive as onedrive. In this embodiment, in a state before the life end processingS205, the logical drive 4 is allocated to the storage unit 2 functioningas a singular physical storage unit. In this case, the LBA of thelogical drive and the LBA of the physical drive have the same value.Even in the state before the life end processing S205, a storage arrayof Redundant Arrays of Inexpensive Disks (RAID), for example, a storagearray of RAID0 or RAID5 can be configured using a plurality of physicalstorage devices and recognized as one logical drive 4. This embodimentcan be applied even in such a case. The application program 400 canaccess a specific logical sector in a specific logical drive by giving acommand including a logical drive ID and a logical address formed by anLBA to the OS 100. The logical drive ID can be allocated to a part of anLBA area of the storage unit rather than the entire LBA area.Consequently, the storage unit 2 and the storage unit 3 can be dividedinto a plurality of logical drives and managed. Separate logical driveIDs can be allocated to the respective logical drives.

In this embodiment, as an example, the SSD functioning as the storageunit 2 described in the first embodiment is used as the storage unit 2and the SSD functioning as the storage unit 3 described in the firstembodiment is used as the storage unit 3. To discard the storage unit 2after reliability deterioration to reduce a setting space and reduce thepower consumption of the entire system 1, it is desirable that thestorage unit 2 can be physically detachably attachable to theinformation processing device 111.

It is desirable that a storage capacity of the data migrationdestination storage unit 3 is equal to or larger than a storage capacityof the data migration source storage unit 2. However, the presentinvention can be applied even when the storage capacity of the storageunit 3 is smaller than the storage capacity of the storage unit 2.

In this embodiment, the storage unit 3 is a storage unit connected tothe information processing device 111 anew after it is determined thatthe storage unit 2 has reached the life end or is about to reach thelife end. The present invention can also be applied when, after it isdetermined that the storage unit 2 has reached the life end or is aboutto reach the life end, the storage unit 3 in the normal state alreadyconnected to the information processing device 111 is used as amigration destination without new connection. To reduce a setting spacebefore connection of the storage unit 3 and reduce the power consumptionof the entire system 1 and to discard the storage unit 3 afterreliability deterioration of the storage unit 3, reduce a setting space,and reduce the power consumption of the entire system 1, it is desirablethat the storage unit 3 is physically detachably attachable to theinformation processing device 111.

The control program 200 stored in the main memory 6 performs control andmanagement of statistical information of the storage unit 2 and thestorage unit 3, status management areas 510, logical drive ID managementareas 520, and a data migration log area 550 of the respective storageunits and performs life end processing, data migration processing, andthe like based on the statistical information.

The storage unit 2 and the storage unit 3 respectively include thestatus management areas 510 and the logical drive ID management areas520. The storage unit 3 includes the data migration log area 550.

In this embodiment, data stored in the status management areas 510 cantake values 0 to 5. The respective values indicate states of the storageunits corresponding to the status management areas 510 as follows:

0: initial storage state

1: normal state

2: low reliability state

3: data migration source state (protected state)

4: data migration destination state

5: discard target state

The information processing system 1 can be configured such that thestatus management areas 510, the logical drive ID management areas 520,and the data migration log area 550 are stored in the main memory 6rather than being stored in the respective storage units. The samelogical drive ID is stored in the logical drive ID management areas 520of the data migration source storage unit 2 and the data migrationdestination storage unit 3.

The data migration log area 550 is included in the data migrationdestination storage unit 3. When the information processing device 111performs write in an LBA of the storage unit 3 or the informationprocessing device 111 transmits a delete notification to the logicaldrive 4 to invalidate data in an LBA of the storage unit 2, the controlprogram 200 stores a write target LBA and a write target sector size inthe data migration log area 550 as shown in FIG. 50 as an update log (adata migration log) of the logical drive 4. The control program 200performs garbage collection and optimization of the data migration logarea 550 at any time during data write in the logical drive 4, during adelete notification, and during idling of the storage unit 3. Forexample, in storing an LBA area having a sector size X ofLBA=cLBA−cLBA+X−1 (hereinafter described as (cLBA, X)) in the datamigration log area 550, when an LBA overlapping (cLBA, X) is alreadystored in the data migration log area 550 or when an LBA area continuingto (cLBA, X) is already recorded in the data migration log area 550, itis desirable that the control program 200 records, as a new log, an LBAarea obtained by combining (merging) the stored LBA area and theLBA(cLBA, X) in the data migration log area 550 and deletes logs of thecombination source LBA areas. For example, when an LBA area A ofA=(cLBA, X) is recorded in the data migration log area 550 anew and anLBA area B of B=(cLBA-a, a) is already stored in the data migration logarea 550, the LBA area A and the LBA area B are continuous LBA areas.Then, the control program 200 can update the data migration log area 550without increasing a log data amount of the data migration log area 550by overwriting an area in which B=(cLBA-a, a) is stored in the datamigration log area 550 with log data of (cLBA-a, a+X), which is an LBAarea of A+B. When data migration explained below is completed, thecontrol program 200 can delete or deallocate the data migration log area550 and allocate the data migration data area 550 to other uses such asuser data storage.

FIG. 51 is an example of write of a log in the data migration log area550. Data D (cLBA) in LBA=cLBA of the logical drive 4 before the lifeend is stored in the LBA=cLBA of the storage unit 2. When the storageunit 2 has reached the life end, for example, if write of the data D(cLBA) having one sector size in the LBA=cLBA of the logical drive 4 isperformed, the control program 200 controls the OS 100 to perform writein the LBA=cLBA of the storage unit 3. The control program 200 storesthe LBA=LBA and the sector count=1 in the data migration log area 550 aslog data. After the storage unit 2 has reached the life end, when the OS100 writes data D(cLBA), D(cLBA+1), . . . , and D(cLBA+X−1) of a sectorsize=X in the LBA=cLBA in the logical drive 4, the control program 200controls the OS 100 to write the data in LBA=cLBA, cLBA+1, . . . , andcLBA+X−1. The control program 200 stores the LBA=cLBA and the sectorcount=X in the data migration log area 550 as log data.

In FIG. 51, write in LBA=1, LBA=3, and LBA=4 is performed in LBA=1,LBA=3, and LBA=4 of the storage unit 3. Logs of the LBA=1 and the sectorcount=1 are recorded as data migration logs. Logs of the LBA=3 and thesector count=1 and the LBA=4 and the sector count=1 are integrated withlogs of the LBA=3 and the sector count=2 and recorded.

The control program 200 can allocate an LBA area as the statusmanagement areas 510, the logical drive ID management areas 520, and thedata migration log area 550. Alternatively, the control program 200 canallocate a logical address area (e.g., a log page address area), whichis not an LBA area, as the status management areas 510, the logicaldrive ID management areas 520, and the data migration log area 550. Whenthe log page address area is allocated, for example, read of the logpage area is performed according to 2Fh Read Log Ext described in ACS-3of Non-Patent Literature 1 and write in the log page address area isperformed according to 3Fh Write Log Ext described in ACS-3 ofNon-Patent Literature 1.

In the same manner as shown in FIGS. 24 and 29 in the first embodiment,the control program 200 determines whether the respective storage unitsconnected to the CPU 5 have reached the life end, are about to reach thelife end, or are about to fail. When the storage units have reached thelife end, are about to reach the life end, or are about to fail, thecontrol program 200 performs the life end processing of the storageunits. As in the first embodiment, the life end determination isperformed at every fixed time, at each fixed number of kinds ofprocessing, or at each fixed data transmission and reception shown inFIG. 24 or when a command response received from the storage unit is anerror response as shown in FIGS. 29 and 30.

Life End Processing

FIG. 52 shows the life end processing of the storage unit 2 in thisembodiment performed when the control program 200 determines that thestorage unit 2 has reached the life end. When the control program 200determines that the storage unit 2 has reached the life end (step S430),the control program 200 rewrites a status of the storage unit 2 from thenormal state of 1 to the low reliability state of 2 (step S431). It isdesirable that the control program 200 notifies an administrator, anoperator, or a user of the information processing system through adisplay device or an LED or the like set near a port to connect thestorage unit 3, which is a new storage unit, to a free port of theinterface 19 (step S432). Alternatively, when a mechanical apparatusthat automatically performs physical attachment and detachment of thestorage unit 2 or the storage unit 3 to and from the interface 19 ismounted on the information processing system 1 as a storage load/unloadapparatus (not shown in the figure), the control program can control thestorage load/unload apparatus to connect the storage unit 3, which is anew storage unit, to the interface 19.

When the storage unit 3 is connected as a new storage unit (step S433),the control program 200 rewrites the status 510 of the storage unit 3 tothe data migration destination state of 4 (step S434) and copies data ofthe logical drive ID management area 520 of the storage unit 2 to thelogical drive ID management area 520 of the storage unit 3 to matchlogical drive IDs of the storage units 2 and 3 (step S435). In thepresent example, because the storage unit 2 is allocated as the logicaldrive 4 as shown in FIG. 49, an ID of the logical drive 4 is written inthe logical drive ID management area 520 of the storage unit 3. Thecontrol program 200 rewrites the status 510 of the storage unit 2 to thedata protected state (the data migration source state) (step S436) andcauses the OS 100 to recognize the storage unit 2 and the storage unit 3as the logical drive 4, which is the same logical drive (step S437).After the life end processing, the status of the storage unit 2 is 3 andthe status of the storage unit 3 is 4. The logical drive 4, the storageunit 2, and the storage unit 3 transition to the data migrating state.

In this embodiment, the statuses of the respective storage units arestored in the status management areas 510 of the storage units in anonvolatile manner. As shown in FIG. 35, the control program 200recognizes the statuses of the storage units by reading the statusmanagement areas 510 every time the OS 100 starts. The control program200 recognizes whether the logical drive 4 is in the data migratingstate by recognizing the statuses of the storage units and reading thelogical drive IDs of the storage units from the logical drive IDmanagement areas 520.

Read from the Logical Drive

The control program 200 reads data as shown in FIGS. 53A and 53B inresponse to a read request from the application program 400. The controlprogram 200 receives a read request, a read target logical drive ID, aread target LBA, and a sector count from the application program 400(step S440). The control program 200 retrieves all storage units inwhich data of the logical drive ID management areas 520 is equal to theread target logical drive ID and specifies the storage unit 2 and thestorage unit 3 (step S441). The control program 200 reads values of thestatus management areas 510 of the retrieved storage units anddetermines statuses of the storage units to specify which of the storageunit 2 and the storage unit 3 each of the retrieved storage units is(step S442). To suppress performance deterioration of the informationprocessing system 1 involved in the read processing of the statusmanagement areas 510, it is desirable that the control program 200loads, during the start of the information processing device 111, dataof the status management areas 510 of the storage unit 2 and the storageunit 3 on the main memory 6 as cache data and thereafter reads data ofthe status management areas 510 from the main memory 6.

When a status of the storage unit belonging to the target logical driveis 1, a status of the logical drive is the normal state (Yes at stepS443). The control program 200 controls the OS 100 to transmit a readcommand, the read target LBA, and the sector count to the storage unit 2(step S444). The control program 200 receives a response and read datafrom the storage unit 2 (step S445). The control program 200 transmitsthe read data and a response to the application program 400 (step S446).

When the status of the storage unit belonging to the target logicaldrive is not 1, the status of the logical drive is the data migratingstate (No at step S443). The control program 200 reads the datamigration log area 550 of the storage unit 3 (step S447) and determineswhether the read target LBA is included in the data migration log (stepS448). When the read target LBA is included in the data migration log(Yes at step S448), the control program 200 transmits a read command,the read target LBA, and the sector count to the storage unit 3 (stepS452). The control program 200 receives a response and read data fromthe storage unit 3 (step S453). The control program 200 transmits theread data and a response to the application program 400 (step S455).

When the read target LBA is not included in the data migration log (Noat step S448), the control program 200 transmits a read command, theread target LBA, and the sector count to the storage unit 2 (step S449).The control program 200 receives a response and read data from thestorage unit 2 (step S450). The control program 200 transmits the readdata and a response to the application program 400 (step S455).

When an LBA area included in the data migration log and an LBA area notincluded in the data migration log are mixed in the read target LBAarea, the control program 200 divides the read target LBA area into theLBA area included in the data migration log and the LBA area notincluded in the data migration log and performs the processing explainedabove for the respective areas.

Write Back Backup

For example, in FIGS. 53A and 53B, write back backup at step S451 can beperformed or does not have to be performed. At step S451, when data ofthe data migration source storage unit 2 under data migration is read tothe cache memory area in the main memory 6, the data read to the cachememory area is written in the data migration destination storage unit 3under the data migration and a write destination LBA and a sector countare written in the data migration log area 550. Consequently, it ispossible to perform data transition to the storage unit 3 in thebackground of the data read from the logical drive 4 to the informationprocessing device 111. The size of an LBA area that should be backed upin the background is reduced and a period from the start to thecompletion of the data migrating state is further reduced. Inparticular, in a read operation to the logical drive 4, data read fromthe storage unit 2 and data write back in the storage unit 3 areperformed in parallel, whereby data migration can be performed at highspeed.

Data Delete Request to the Logical Drive

FIG. 54 shows a processing procedure of the OS 100 performed when an LBAdata delete request is transmitted from the application program 400 tothe OS 100. The OS 100 receives a data delete request, a logical driveaddress, and a delete target LBA from the application program 400 (stepS920). The control program 200 retrieves all storage units in which dataof the logical drive ID management areas 520 is equal to a logical driveID of an LBA data delete target and specifies the storage unit 2 and thestorage unit 3 (step S921). The control program 200 reads values of thestatus management areas 510 of the retrieved storage units (step S922)and determines statutes to specify which of the storage unit 2 and thestorage unit 3 each of the retrieve storage units is.

When a status of the storage unit belonging to the target logical driveis 1 (Yes at step S923), a status of the logical drive is the normalstate. The OS 100 transmits a delete notification and an LBA to thestorage unit 2 (step S924). The OS 100 receives a response from thestorage unit 2. The OS 100 transmits a response to the applicationprogram 400 (step S930).

When the status of the storage unit belonging to the target logicaldrive is not 1 (No at step S923), the status of the logical drive is thedata migrating state. The control program 200 reads the data migrationlog area 550 of the storage unit 3 (step S925) and determines whetherthe data delete target LBA is included in the data migration log (stepS926). When the delete target LBA is included in the data migration log,delete target data is stored in the storage unit 3. The control program200 transmits a delete notification and the LBA to the storage unit 3(step S927). The storage unit 3 invalidates data of the deletenotification target LBA, receives a response from the storage unit 3,and transmits a response to the application program 400 (step S930).

When the delete target LBA is not included in the data migration log(step S926), the delete target data is stored in the storage unit 2. Thecontrol program 200 transmits a delete notification and the LBA to thestorage unit 2 (step S928) and receives a response from the storage unit2. The control program 200 does not have to transmit the deletenotification to the storage unit 2. An LBA set as a target of a deletecommand from the application program 400 is data unnecessary to be readin future for the application program 400 and the OS 100 and is dataunnecessary to be migrated to the storage unit 3. Therefore, the controlprogram 200 records the delete target LBA and the sector count in thedata migration log area 550 to thereby invalidate mapping from thedelete target LBA to the storage unit 2 (step S929). The control program200 transmits a response to the application program 400 (step S930).

When an LBA area included in the data migration log and an LBA area notincluded in the data migration log are mixed in the delete target LBAarea, the control program 200 divides the delete target LBA area intothe LBA area included in the data migration log and the LBA area notincluded in the data migration log and performs the processing explainedabove for the respective areas.

In this way, in the processing of the data delete request, the controlprogram 200 updates the data migration log area 550. Therefore, data islogically migrated from the storage unit 2 to the storage unit 3. Datadeletion is used as a data migrating operation as well.

Write in the Logical Drive

The control program 200 writes data as shown in FIG. 55 in response to awrite command from the application program 400. The control program 200receives a write request, a write target logical drive ID, a writetarget LBA, and a sector count from the application program 400 (stepS460). The control program 200 retrieves all storage units in which dataof the logical drive ID management areas 520 is equal to the writetarget logical drive ID and specifies the storage unit 2 and the storageunit 3 (step S461). The control program 200 reads values of the statusmanagement areas 510 of the retrieved storage units and determinesstatuses of the storage units to specify which of the storage unit 2 andthe storage unit 3 each of the retrieved storage units is (step S462).

When a status of the storage unit belonging to a target logical drive isthe normal state, a status of the logical drive is the normal state (Yesat step S463). The control program 200 transmits a write command, thewrite target LBA, and the sector count to the storage unit 2 (stepS464). The control program 200 transmits write data received from anapplication to the storage unit 2 (step S465).

When the status of the storage unit belonging to the target logicaldrive is the data migrating state, the status of the logical drive isthe data migrating state (No at step S463). The control program 200transmits a write command, the write target LBA, and the sector count tothe data migration destination storage unit 3 (step S466). The controlprogram 200 transmits the write data received from the application tothe storage unit 3 (step S467). The control program 200 reads the datamigration log area 550 of the storage unit 3 (step S468) and determineswhether the write target LBA is included in the data migration log (stepS469). When the write target LBA is included in the data migration log,the write target LBA is already subjected to data migration. Therefore,the control program 200 does not update the data migration log area 550.When the write target LBA is not included in the data migration log, thewrite target LBA is an LBA for which migration is completed anew.Therefore, the control program 200 records the write target LBA and thesector count in the data migration log area 550 (step S470). The storageunit 3 writes write data in the write target LBA.

In this way, during the data migration, the OS 100 is controlled not totransmit a write request to the data migration source storage unit 2 andto transmit a write request to the data migration destination storageunit 3. The data migration log is recorded in the data migration logarea 550 of the storage unit 3. Every time the logical drive 4 receivesa write request from the application program 400, valid data stored inthe storage unit 2 is gradually migrated to the storage unit 3. New datawrite is used as a data migrating operation as well.

If it is assumed that a data write request from the application program400 is transmitted to all LBAs of the storage unit 2 at a uniformprobability distribution, when a sufficiently large amount of data iswritten in total, nearly all valid data of the storage unit 2 istransferred to the storage unit 3. The valid data is hardly left in thestorage unit 2. A total number of logical sectors, which is a storagecapacity, of the storage unit 2 is defined as C2, a total number oflogical sectors of the storage unit 3 is defined as C3, and, forexample, C2=C3=C. If it is assumed that a write distribution for all theLBAs is a uniform probability distribution as a model case, aprobability that a LBA=cLBA is written by a certain write request is1/C. When an n write requests are processed, a probability that theLBA=cLBA is not written at all is (1−(1/C)̂n). An is ̂n-th power.Therefore, an expected value of the number of logical sectors for whichwrite is completed after the write requests are processed n times isC−C×(1−(1/C)̂n).

If write of one logical sector is performed according to one writerequest, when data having a volume N times as large as the storagecapacity of the storage unit 2 and the storage unit 3 is written,because the number of processed write commands is n=NC, an expectedvalue E of the number of logical sectors in which write is not performedis E=C×(1−(1/C)̂(NC)). For example, when a storage capacity G of thestorage unit 2 in a Gbyte unit is G=512 GB (=476.9 GiByte) based on theIDEMA (International Disk Drive Equipment and Materials Association)standard, because C=97,696,368+1,953,504×(G=512−50)=1,000,215,216 and,in general, C is a sufficiently large integer, the expected value E canbe approximated as E=C×ê(−N) (e is a base of a natural logarithm).Therefore, the expected value E exponentially decreases with respect toan increase in N. For example, when data write of 476.9 GiByteequivalent to one round of the logical drive 4 takes place with respectto the logical drive 4 having a capacity of G=512 GByte (=476.9 GiByte),write in LBAs of about 63.2% of the logical drive 4 is completed. It canbe considered that transfer of half or more data of the logical drive 4from the storage unit 2 to the storage unit 3 is completed. For example,when data write of 13 TiByte equivalent to 4.6 rounds of the logicaldrive 4 takes place with respect to the logical drive 4 having acapacity of G=512 GByte (=476.9 GiByte), write in LBAs of about 99% ofthe logical drive 4 is completed. It can be considered that transfer ofsubstantially all data of the logical drive 4 from the storage unit 2 tothe storage unit 3 is completed. Ki=1024, Mi=1024×Ki, Gi=1024×Mi, andTi=1024×Gi.

Monitoring of a Data Migration State

The control program 200 reads the data migration log area 550 to monitora data migration state of the logical drive 4 in the data migratingstate. FIG. 56 shows a monitoring procedure for monitoring a datamigration state using a data migration log. For example, the controlprogram 200 reads the data migration log area 550 every time apredetermined time elapses to monitor a data migration state (steps S480and S481). When all migration target LBAs are included in the datamigration log area 550, the control program 200 determines that datamigration is completed. For example, all the LBAs of the data migrationsource storage unit 2 are included in the data migration log area 550,the control program 200 determines that data migration is completed(step S482). Alternatively, as determination of the completion of thedata migration, for example, the control program 200 can determinewhether all the LBAs of the storage unit 3 are included in the datamigration log area 550.

When the control program 200 determines that the data migration iscompleted, the control program 200 changes a status of the datamigration source storage unit 2 to the discard target state of 5 andchanges a status of the data migration destination storage unit 3 to thenormal state of 1 (step S483) to end the data migrating state of thelogical drive 4 and ends the data migration state monitoring for thelogical drive 4. To reduce the power consumption of the storage unit 2,it is desirable that the control program 200 transmits a transitionrequest to a low power consumption mode to the storage unit 2. After theend of the data migrating state, it is desirable that the controlprogram 200 notifies, through the display 9 or the LED set near theport, the administrator, the operator, or the user of the informationprocessing system to detach the storage unit 2 from the interface 19 orcontrols the storage load/unload apparatus to detach the storage unit 2from the interface 19.

Transition of an Overall Status

FIG. 57 shows transition of a status of the logical drive 4 performedwhen the storage unit 2 has reached the life end. When the storage unit2 is in the normal state, a status of the storage unit 2 is one and thestorage unit 3 is unconnected to the CPU 5 (step 1). When the controlprogram 200 determines that the storage unit 2 has reached the life end,the control program 200 changes the status of the storage unit 2 to 2(step 2). The storage unit 3 is connected to the interface 19 as a newstorage unit based on the notification or the control by the controlprogram 200 (step 3). When the storage unit 3 is connected, the controlprogram 200 changes the status of the storage unit 2 to 3 and changes astatus of the storage unit 3 to 4 to complete the transition to the datamigrating state (step 4). When the control program 200 determines basedon information of the data migration log area 550 that all valid data ofthe storage unit 2 is migrated to the storage unit 3, the controlprogram 200 changes the status of the storage unit 2 to 5 and changesthe status of the storage unit 3 to 1. Thereafter, the storage unit 3behaves as if the storage unit 3 is the original storage unit 2 (theprocessing returns to step 1). Thereafter, when it is further determinedthat the storage unit 3, i.e., the new storage unit has reached the lifeend, the same steps 2 to 5 are repeated. In this way, even when any oneof the storage units of the information processing device 111 hasreached the life end, is about to reach the life end, or is about tofail, it is possible to easily migrate the data of the storage unit 2 toa new storage unit according to this embodiment.

Background Backup

For example, during idling when the OS 100 does not receive a requestfrom the application program 400 for a fixed time or more, when the OS100 receives a standby mode transition request from the applicationprogram 400, or the information processing device 111 and the OS 100 areshut down, it is desirable that the control program 200 performsbackground backup for performing a backup operation for automaticallyreading data from the storage unit 2 and automatically writing data inthe storage unit 3 for an LBA in which data migration to the storageunit 3 is not completed. For example, a background backup operation isperformed by the control program 200 reading the data migration log area550 of the storage unit 3, performing data read from the storage unit 2for a cLBA not included in the data migration log area 550, and storingthe cLBA and a sector size of the write data in the data migration logarea 550 as log data. In storage of the cLBA in the data migration logarea 550, when continuous LBA areas are present or when overlapping LBAareas are present, it is desirable that an LBA area obtained by mergingthe LBA areas is stored in the data migration log area 550 and the LBAareas before the merging is deleted from the data migration log area550.

To reduce the data size of the data migration log area 550 and toperform data migration end determination explained below at high speed,it is desirable that the background backup is preferentially performedfor the un-migrated fragmented cLBA areas among cLBA areas other thanthe cLBA area registered in the data migration log area 550. The controlprogram 200 preferentially backs up the un-migrated fragmented LBA areaand subjects the un-migrated fragmented LBA area to data migration tothereby store a newly migrated LBA area in the data migration log area550 as an LBA area formed by merging the newly migrated LBA area withmigrated LBA areas continuously located before and after the newlymigrated LBA area. For example, when data of the area LBA=0 ((LBA=0,sector size=1)) and the area LBA=2 ((LBA=2, sector size=1)) is alreadybacked up and registered in the data migration log, the control program200 can change the LBA areas (LBA=0, sector size=3) of the continuousLBA0 to LBA2 to a migration completed state. Consequently, an dataamount of the data migration log area 550 is reduced.

For example, as explained above, when the application program 400 writesdata of 476.9 GiByte in total in a SSD of 512 GByte (=476.9 GiByte), thecontrol program 200 performs the background backup operation for an areaof 175.5 GiB, which is a capacity of 36.8% of the storage capacity,whereby data migration for all LBA areas of the storage unit 2 iscompleted. Typical read speed and typical write speed of the storageunit 2, which is a SSD, and the storage unit 3, which is a SSD, are, forexample, about 400 MiB/second. Read from the storage unit 2 in the LBAareas of 476.9 GiB is completed in about 449 seconds and write in thestorage unit 3 is completed in about 449 seconds. Therefore, under sucha situation, the background backup is completed in about 15 minutes atmost. When the read from the storage unit 2 and the write in the storageunit 3 are performed in parallel, the read and the write are completedin about 8 minutes.

Further, for example, as explained above, when the application program400 writes data of 13 TiByte in total in a SSD of 512 GByte (=476.9GiByte), the control program 200 performs the background backupoperation for an area of 4.8 GiB, which is a capacity of 1% of thestorage capacity, whereby the data migration is completed for all theLBA areas of the storage unit 2. Typical read speed and typical writespeed of the storage unit 2, which is a SSD, and the storage unit 3,which is a SSD, are, for example, about 400 MiB/second. Read from thestorage unit 2 in the LBA areas of 4.8 GiB is completed in about 12seconds and write in the storage unit 3 is completed in about 12seconds. Therefore, under such a situation, the background backup iscompleted in about 24 minutes at most. When the read from the storageunit 2 and the write in the storage unit 3 are performed in parallel,the read and the write are completed in about 12 minutes.

On the other hand, time of 20 minutes to 41 minutes is required for databackup of a comparative example for backing up data by reading all thedata from the storage unit 2 having a capacity of 512 GB and writing thedata in the storage unit 3 without applying this embodiment. That is,compared with the comparative example, according to the application ofthis embodiment, the time require for substantial backup decreases by63% after data write equivalent to storage capacity×1 and by 99% afterdata write equivalent to storage capacity×4.6.

In this way, according to the application of this embodiment, databackup work by the user is unnecessary and a load of processing on theinformation processing device 111 according to the background backup issubstantially reduced. The application program 400 can use the logicaldrive 4 while hardly being affected by the data backup from the storageunit 2 in the storage unit 3. Most of data migration processing in thisembodiment is logical data transfer. Compared with copying of entitydata, a read processing amount and a write processing amount in the NANDflash memory 16 is markedly small and a band use ratio of the interface19 is markedly small. Only rewriting of an amount equivalent to the sizeof the status management areas 510 takes place in the storage unit 2deteriorated in reliability and it is possible to reduce the failurerate of the storage unit 2 due to further data write in the storage unit2. When new data is written in the logical drive 4, data is written inthe storage unit 3 having high reliability rather than the storage unit2. Therefore, it is possible to prevent a loss of write data. Even whenthe storage unit 2 has reached the life end and further data write isprevented, the logical drive 4, which is the upper layer of the storageunits, behaves as a drive that can perform both of read and write.Therefore, an upper software layer such as an application program cantreat the logical drive 4 equivalently irrespective of whether thelogical drive 4 is in a life end mode or in the normal state. Therefore,an application program modification for introducing this embodiment isnot needed and a shift to a system adopting this embodiment is easy.

Third Embodiment

In an example explained in a third embodiment, the present invention isapplied to the information processing system 1 including a storagearray. FIG. 58 shows the information processing system 1 according tothe third embodiment. The information processing system 1 includes astorage array device 1003, storage units 2A to 2D, the storage unit 3,the interface 19 configured to connect the storage array device 1003,the storage units 2A to 2D, and the storage unit 3, a client 1002, and astorage network 1000 configured to connect the client 1002 and thestorage array device 1003. In the information processing system 1, thestorage units 2A to 2D are connected to the storage array device 1003and are respectively recognized as logical slots functioning as logicalunits. A RAID (Redundant Arrays of Inexpensive Disks) array is builtusing the logical slots. The storage unit 3 functioning as a datamigration destination can be further connected to the storage arraydevice 1003. In this embodiment, four storage units configure the RAIDarray before life end processing. However, the RAID array can be builtusing arbitrary two to a plurality of storage units. In this embodiment,the RAID5 is used as the RAID array. However, this embodiment can alsobe applied when a storage array is built using other RAID techniquessuch as RAID0, RAID2, RAID3, RAID4, RAID6, and RAID Z and other storagearray implementation forms.

The network 1000 is a storage network for storage access. For example, aFibre Channel or an Ethernet (registered trademark) is used. Inparticular, as the storage network 1000, for example, a SAN (StorageArea Network) or a NAS (Network Attached Storage) is used. As the SAN,for example, an FC-SAN (Fibre Chanel Storage Area Network) or an IP-SAN(Internet Protocol Area Network) is used. As an upper layer protocol ofthe SAN, for example, a SCSI (Small Computer System Interface) is used.In an example explained in this embodiment, the IP-SAN is adopted as thestorage network 1000. As an upper layer protocol of the IP-SAN, an iSCSI(Internet Small Computer System Interface) is used. The storage network1000 includes a network switch 10001 and a hub (not shown in thefigure).

The client 1002 is a computer connected to the storage network 1000 andconfigured to carry out desired processing. Typically, the client 1002includes hardware resources such as a processor, a main memory, acommunication interface and a local input/output device. The client 1002includes software resources such as a device driver, an operating system(OS), and an application program (not shown in the figure).Consequently, the client 1002 executes various programs under thecontrol by the processor and realizes processing in cooperation with thehardware resources. For example, the client 1002 executes a businessapplication program under the control by the processor to therebyI/O-access the storage array device 1003 through the storage network1000 and realize a desired business system. The client 1002 can be adatabase server (DB server) in which a database management system (DBMS)is operating. Then, upon receiving a data read request from a client(not shown in the figure) connected to the DB server through the storagenetwork 1000 or another network (not shown in the figure), the client1002 reads data from the storage array device 1003 and transmits theread data to the client. Upon receiving a data write request from theclient, the client 1002 receives write data from the client and writesthe data in the storage array device 1003.

The storage array device 1003 uses logical slots 0 to 3 as configurationunits of RAID. The logical slots correspond to the logical devices inthe second embodiment. In a normal state before any one of the storageunits 2A to 2D has reached the life end, the storage units 2A to 2D areconnected to the storage array device 1003 through the interface 19. Thestorage unit 2A is allocated to the logical slot 0, the storage unit 2Bis allocated to the logical slot 1, the storage unit 2C is allocated tothe logical slot 2, and the storage unit 2D is allocated to the logicalslot 3. Consequently, the storage array device 1003 notifies the client1002 of the four logical slots corresponding to the four storage units2A to 2D as virtual one logical device using the RAID5. The client 1002transmits an LBA for accessing the storage array device (hereinafterreferred to as “array LBA” or “ALBA”). A control unit 200 in a RAIDcontroller 1005 transforms the array LBA into logical slot numbers andLBAs for accessing the storage units 2A to 2D (hereinafter referred toas “storage unit LBAs” or “SLBAs”). The control unit 200 transmits anaccess command to the SLBA of at least one storage unit among thestorage units 2A to 2D specified by the logical slot numbers.

The storage array device 1003 alone can provide the cline 1002 withdata-storage service. Alternatively, one virtual storage devicevirtually configured by the storage array device 1003 and not-shownanother storage array device can provide the client 1002 with thedata-storage service. In the storage array device 1003, one or morelogical devices (LDEVs) to be provided to the client 1002 are formed inthe storage array device 1003.

The logical device is a logical storage device that can be recognized bythe client 1002. A logical unit (LU) is allocated to the logical device.The client 1002 recognizes the logical device formed on a physicaldevice as the logical unit. Logical unit numbers (LUNs) are given to thelogical units. The logical unit is divided into logical sectors (logicalblocks). Array LBAs are allocated to the logical sectors. The client1002 can access a specific logical sector in a specific logical unit bygiving a command including a logical address formed by a logical unitnumber and the array LBA to the storage array device 1003. In thisembodiment in which the iSCSI is used, the client 1002 and the storagearray device 1003 respectively function as an initiator and a target,which are iSCSI nodes allocated with iSCSI names. Therefore, the client1002 and the storage array device 1003 transmit and receive an iSCSI PDUvia a network portal specified by a combination of an IP address and aTCP port number. Therefore, the client 1002 designates an iSCSI name, anIP address, and a TCP port number to thereby recognize the storage arraydevice 1003 on the network 1000 and accesses a logical sector in thelogical unit of the storage array device 1003.

The storage units 2A to 2D are storage units connected to the storagearray device 1003 through the interface 19. As the storage units 2A to2D, for example, storage units equivalent to the storage unit 2explained in the first embodiment can be respectively used. In thisembodiment, as an example, as the storage units 2A to 2D, the SSDexplained in the first embodiment is used. In terms of discarding thestorage units 2A to 2D after reliability deterioration, reduce a settingspace, and reduce the power consumption of the entire informationprocessing system 1, it is desirable that the storage units 2A to 2D arephysically detachably attachable to the storage array device 1003.

The storage unit 3 is a storage unit connected to the storage arraydevice 1003 anew after it is determined that any one of the storageunits 2A to 2D has reached the life end or is about to reach the lifeend. For example, the storage units equivalent to the storage unit 3described in the first embodiment can be used. In this embodiment, asthe storage unit 3, the SSD described in the first embodiment is used.To reduce a setting space before connection of the storage unit 3, toreduce the power consumption of the entire information processing system1, and to discard the storage unit 3 after reliability deterioration ofthe storage unit 3 to reduce a setting space and reduce the powerconsumption of the entire information processing system 1, it isdesirable that the storage unit 3 is physically detachably attachable tothe storage array device 1003.

The RAID controller 1005 controls building and management of a RAIDarray of a storage unit connected to a storage interface 1007 andincludes the control unit 200. The control unit 200 takes variousimplementation forms such as firmware and software stored in a memory inthe RAID controller 1005 or hardware in the RAID controller 1005. Uponreceiving a command from the client 1002, a network switch 6009, or thelike through a network interface 1004, the control unit 200 transmits aread command, a write command, other commands, and data to the storageunits through the storage interface 1007, receives responses and datafrom the storage units, and transmits a response and the data to theclient 1002 through the network interface 1004. The control unit 200performs control and management of statistical information, the statusmanagement areas 510, the slot number management areas 530, and the datamigration log area 550 of the storage units 2A to 2D and the storageunit 3 and performs life end processing, data migration processing, andthe like based on the statistical information. The status managementareas 510, the slot number management areas 530, and the data migrationlog area 550 can be stored in a storage area in the informationprocessing system 1 such as a memory area (not shown in the figure) inthe RAID controller 1005 rather than being stored in the storage units.In this embodiment, data stored in the status management areas 510 cantake values 0 to 5. The respective values indicate states of a storageunit corresponding thereto as follows:

0: initial storage state

1: normal state

2: low reliability state

3: data migration source state (protected state)

4: data migration destination state

5: discard target state

In FIG. 59, a transformation method for an array LBA (ALBA) and astorage unit LBA (SLBA) in the normal state in this embodiment is shown.The control unit 200 adopting the RAID5 generates, using threecontinuous logical sectors ALBA=3q, 3q+1, and 3q+2 (q is an arbitraryinteger equal to or larger than 0) as a set, parity data P(3q, 3q+2)equivalent to one logical sector with respect to array data D(ALBA=3q),D(ALBA=3q+1), and D(ALBA=3q+2), which are data of the respective logicalsectors.

The parity data P(3q, 3q+2) is calculated by exclusive ORing respectivebits having the same offset in logical sectors in D(ALBA=3q),D(ALBA=3q+1), and D(ALBA=3q+2) in such a manner as P(3q,3q+2)=(D(ALBA=3q) XOR D(ALBA=3q+1) XOR DALBA-3q+2). For example, paritydata P(0,2) is calculated by the control unit 200 from D(0), which isdata of ALBA=0, D(1), which is data of ALBA=1, and D(2), which is dataof ALBA=2. In the normal state, array data D(ALBA=3q), D(ALBA=3q+1), andD(ALBA=3q+2) and parity data P(3q, 3q+2) are distributedly managed inthe storage units 2A to 2D as shown in FIG. 59. For example, in the caseof the ALBA=1, data D(1) corresponding thereto is stored in LBA=SLBA=0of the storage unit 2B allocated to the logical slot 1. Upon receivingthe ALBA=1 from the client 1002, the control unit 200 specifies alogical slot number=1 and SLBA=0.

For example, upon receiving a read command for the ALBA=1 from theclient 1002, the control unit 200 specifies the logical slot number=1and the SLBA=0, which are storage destination of D(1), transmits a readcommand for the SLBA=0 to the storage unit 2B connected to the logicalslot number=1, receives read data, and transmits the received read datato the client 1002. When a response is not received from the storageunit 2B or when an error response is received from the storage unit 2B,the control unit 200 transmits a read command for the SLBA=0 to thestorage unit 2A, the storage unit 2C, and the storage unit 2D connectedto the logical slot 0 and the logical slots 2 and 3 other than thelogical slot 1, restores D(1) from received data D(0), D(2), and P(0,2)through exclusive OR, and transmits the restored D(1) to the client1002. Data read for D(0), D(2), and P(0,2) can be performed in parallelduring the read of D(1).

For example, upon receiving a write command and write data for theALBA=1 from the client 1002, the control unit 200 specifies the logicalslot number=1 and the SLBA=0, which are storage destination of D(1),transmits a write command for the SLBA=0 to the storage unit 2B havingthe logical slot number=1, writes data to be written, reads the dataD(0) and D(2) from the SLBA=1 of the storage unit 2A and the storageunit 2C, which are the storage units connected to the slots other thanthe logical slot number 1 and not having parity data stored in theSLBA=0, calculates the parity data P(0,2) from D(0), D(1), and D(2), andwrites the parity data P(0,2) in the SLBA=0 of the storage unit 2D.

In FIG. 60, a transformation method for the array LBA and the storageunit LBA immediately after migration state transition of the logicalslot 1 is shown. Immediately after the migration state transition, thetransformation method for the array LBA and the storage unit LBA is thesame as that in the normal state shown in FIG. 59.

As shown in FIG. 58, the storage units 2A to 2D and the storage unit 3respectively include the status management areas 510 and the logicalslot number management areas 530. The storage unit 3 includes the datamigration log area 550. When data migration explained below iscompleted, the control unit 200 can delete or deallocate the datamigration log area 550 and allocate the data migration log area 550 toanother use such as user data storage. The control unit 200 can allocatethe LBA area to the status management areas 510, the logical slot numbermanagement areas 530, and the data migration log area 550.Alternatively, the control unit 200 can allocate an area that is not anLBA area (e.g., a log area allocated with a log page address) to thestatus management areas 510, the logical slot number management areas530, and the data migration log area 550. In the area that is not an LBAarea, for example, read is performed according to 2Fh Read Log Extdescribed in ACS-3 of Non-Patent Literature 1 and write is performedaccording to 3Fh Write Log Ext described in ACS-3 of Non-PatentLiterature 1. A log of a data migrating state explained below is storedin the data migration log area 550.

As log data recorded in the data migration log area 550, in thisembodiment, table data shown in FIG. 61 is used. When data of a sectorcount Xis written in the LBA (=SLBA) of the storage unit 3 in the datamigrating state, the control unit 200 additionally writes (SLBA, X) inthe data migration log area 550. When LBAs overlapping or continuous toan area of LBA=SLBA−SLBA+X−1 are already recorded in the data migrationlog area 550, it is desirable to record a log obtained by combining theLBAs in the data migration log area 550 and delete the combined log fromthe data migration log area 550. For example, when an LBA area A of(SLBA, X) is written in the data migration log area 550 anew and when anLBA area B of (SLBA-a, a) is already recorded in the data migration logarea 550, because the LBA area A and the LBA area B are continuous, itis possible to update the data migration log area 550 without increasinga log data amount by overwriting a log of (SLBA-a, a) with data of(SLBA-a, a+X) indicating a region of A+B.

In the same manner as shown in FIGS. 24 and 29 in the first embodiment,the control unit 200 determines whether the respective storage unitsconnected to the storage interface 1007 have reached the life end, areabout to reach the life end, or are about to fail. When the storageunits have reached the life end, are about to reach the life end, or areabout to fail, the control unit 200 performs the life end processing. Asin the first embodiment, the life end determination is performed atevery fixed time, at each fixed number of kinds of processing, or ateach fixed data transmission and reception shown in FIG. 24 or when acommand response received from the storage unit is an error response asshown in FIGS. 29 and 30.

FIG. 62 shows the life end processing of the storage unit 2B performed,for example, when the control unit 200 determines that the storage unit2B has reached the life end. When the control unit 200 determines thatthe storage unit 2B has reached the life end (step S500), the controlunit 200 rewrites a status of the storage unit 2B from 1 to 2 (stepS501). It is desirable that the control unit 200 notifies a networkadministrator through a display device, an LED, or the like to connect anew storage unit to a free slot of the storage interface 1007 (stepS502). Alternatively, when a mechanical apparatus that automaticallyperforms physical attachment and detachment of the storage units 2A to2D or the storage unit 3 to and from the storage interface 1007 ismounted on the information processing system 1 as a storage load/unloadapparatus (not shown in the figure), the control unit 200 can controlthe storage load/unload apparatus to connect a new storage unit to thestorage interface 1007 (step S502).

When the storage unit 3 is connected as a new storage unit (step S503),the control program 200 rewrites the status 510 of the storage unit 3 to4 (step S504) and copies data of the logical slot number managementareas 530 of the storage unit 2B to the logical slot number managementareas 530 of the storage unit 3 (step S505). In the present example,because the storage unit 2B is allocated as the logical slot 1 as shownin FIG. 57, 1 is written in the logical slot number management areas 530of the storage unit 3. The control program 200 rewrites the status 510of the storage unit 2B to 3 (step S506) and causes the RAID controller1005 to recognize the storage unit 2B and the storage unit 3 as thelogical slot 1, which is the same logical slot (step S507). After thelife end processing, a status of the storage unit 2B is 3 and a statusof the storage unit 3 is 4. The logical slot 1 transitions to the datamigrating state.

In this embodiment, the statuses of the respective storage units arestored in the status management areas 510 of the storage units in anonvolatile manner. FIG. 63 shows a processing procedure of the controlunit 200 performed when the RAID controller 1005 starts and when thestorage units are connected to the storage interface 1007. Every timethe RAID controller 1005 starts, the control unit 200 reads the statusmanagement areas 510 to recognize statuses of the storage units. Thecontrol unit 200 recognizes the statuses of the storage units and readslogical slot numbers of the storage units from the logical slot numbermanagement areas 530 to determine whether each of the logical slots 0 to3 is in the data migrating state.

That is, when the storage status=0 (step S511), the control unit 200recognizes the storage units as being in the initial storage state (stepS512). When the storage status=1 (step S513), the control unit 200recognizes the storage units as being in the normal state (step S514).When the storage status=2 (step S515), the control unit 200 recognizesthe storage unit as being in the low reliability state (step S516). Whenthe storage status=3 (step S517), the control unit 200 recognizes thestorage units as being in the data migration source state (the protectedstate) during the data migration work (step S518). When the storagestatus=4 (step S519), the control unit 200 recognizes the storage unitsas being in the data migration destination state during the datamigration work (step S520). When the storage status=5 (step S521), thecontrol unit 200 recognizes the storage units as being in the discardtarget state (step S522). When the storage status is other than 0 to 5,the control unit 200 regards the storage units as unauthorized storageunits (step S523).

Read from the Logical Drive (1)

FIG. 64 shows a processing procedure of the control unit 200 performedwhen a read request is transmitted from the client 1002 to the storagearray device 1003. The control unit 200 receives a read command forALBA=cALBA, which is a read target array LBA, from the client 1002 (stepS530). The control unit 200 calculates a logical slot number cSLOT andSLBA=cSLBA, which is a read target storage unit LBA, from cALBA (stepS531). The control unit 200 determines whether a storage unit of alogical unit of cSLOT is in failure (step S532). When the storage unitof the logical slot of the cSLOT is not in failure, subsequently, thecontrol unit 200 determines whether the storage unit of the logical slotof the cSLOT is in the data migrating state (step S533).

When the storage unit of the logical slot of the cSLOT is in the datamigrating state (step S533), the control unit 200 reads data includingparity from a slot other than the slots of the cSLOT, restores data ofthe cSLBA of the cSLOT using the data, and transmits the restored datato the client 1002 (step S534). The control unit 200 writes back therestored data of the cSLBA of the cSLOT to the data migrationdestination storage unit 3 and records a data migration log in the datamigration log area 550 (step S535). When the storage unit of the logicalslot of the cSLOT is not performing data migration (step S533), thecontrol unit 200 reads data D (cSLBA) from the storage unit of the cSLOTand transmits the read data to the client 1002. In this way, when theread target logical slot is in the data migrating state, the read targetdata is restored from a slot other than the read target. Consequently,even if data of the storage unit in the data migrating state is lost, itis possible to remedy the loss. Further, read from the storage unit inthe data migrating state is reduced to suppress read disturb (aphenomenon in which an error occurs in stored data because very smallcharges are stored in a floating gate of an unselected memory cellincluded in the same block as a memory cell from which the data isread).

When the storage unit of the logical slot of the cSLOT is in failure,the control unit 200 determines whether a slot in the data migratingstate is present (step S537). When a slot in the data migrating state isabsent, the control unit 200 reads data from a slot other than the slotof the cSLOT, restores data of the cSLBA of the cSLOT using the data,and transmits the restored data to the client 1002 (step S538). When theread target slot is in failure and a slot in the data migrating state isabsent in other slots in this way, the control unit 200 restores theread target data from a slot other than the read target.

When the storage unit of the logical slot of the cSLOT is in failure anda slot in the data migrating state is present (step S537), the controlunit 200 reads the data migration log area 550 and determines in whichof the data migration source and the data migration destination the dataof the read target SLBA is present (step S539). The control unit 200restores the data of the cSLBA of the cSLOT from data read from a datamigration destination storage unit, a data migration source storageunit, and a normal-state storage unit and transmits the restored data tothe client 1002 (step S540). When data of the data migration source isused, the control unit 200 writes back the used data migration sourcedata to the data migration destination storage unit 3 and records a datamigration log in the data migration destination data migration log area550 (step S541).

Read from the Logical Drive (2)

FIG. 65 shows another processing procedure of the control unit 200performed when a read request is transmitted from the client 1002 to thestorage array device 1003. In the processing procedure shown in FIG. 65,processing performed when the determination at step S533 in FIG. 64 isaffirmative is changed from steps S534 and S535 to steps S550 to S554.In FIG. 65, the processing at step S541 in FIG. 64 is deleted. When thestorage unit of the logical slot of the cSLOT is in the data migratingstate (step S533), the control unit 200 reads the data migration logfrom the data migration destination storage unit 3 and determineswhether the data of the cSLBA is included in the data migration log(step S551). When the data of the cSLBA is included in the datamigration log, the control unit 200 reads the data of the cSLBA from thedata migration destination storage unit 3 and transmits the read data tothe client 1002 (step S554). When the data of the cSLBA is not includedin the data migration log, the control unit 200 reads the data of thecSLBA from the data migration source storage unit and transmits the readdata to the client 1002 (step S552). The control unit 200 writes backthe data read from the data migration source to the data migrationdestination storage unit 3 and updates the log 550 of the data migrationdestination storage unit 3 (step S553).

Write in the Logical Drive

FIG. 66 is a flowchart for explaining processing for a write commandfrom the client 1002 in this embodiment. Upon receiving a write commandincluding the cLBA, which is the array LBA, and a sector length from theclient 1002 (step S560), the control unit 200 receives write data fromthe client 1002 (step S561). The control unit 200 calculates a logicalslot number cSLOT, in which data should be written, from the cALBA,retrieves the cSLBA, which is the storage unit LBA in which data shouldbe written, from the cALBA, and calculates a logical slot number cPSLOTof a parity data storage destination of the cSLBA from the cALBA (stepS562). The control unit 200 reads data of the cSLBA of all the slots inparallel. When there is a failed slot, the control unit 200 reads datafrom a slot other than the failed slot and restores data of the failedslot (step S563). Thereafter, the control unit 200 processes a main bodydata write task and a parity data write task in parallel.

The main body data write task is executed as explained below. Thecontrol unit 200 determines whether the cSLOT is in failure (step S564).When the cSLOT is in failure, the control unit 200 ends the task withoutwrite data. When the cSLOT is not in failure, the control unit 200determines whether the cSLOT is in the data migrating state (step S565).When the cSLOT is not in the data migrating state, the control unit 200writes reception data from the client 1002 in the cSLBA of the slotcSLOT (step S566). When the cSLOT is in the data migrating state, thecontrol unit 200 writes the reception data in the cSLBA of a datamigration destination storing unit of a data migration source storageunit and the data migration destination storage unit allocated to theslot cSLOT (step S567). The control unit 200 records the cSLBA and asector size in the data migration log area 550 of the data migrationdestination storage unit as a data migration log (step S568). When datamigration logs of continuous LBAs before and after the cSLBA andoverlapping LBAs are present in the data migration log area 550, thecontrol unit 200 writes a data migration log obtained by combining thelogs in the data migration log 550 and deletes (invalidates) thecombination source data migration logs (step S568).

The deletion of the data migration log from the data migration log 550only has to be logical deletion. The data migration log does not have tobe physically erased by block erasing of the NAND memory 16. Forexample, a flag for invalidating a log is written in the data migrationlog 550 or the data migration log 550 after update is stored in an areadifferent from the data migration log 550 before the update and apointer indicating a storage position of the data migration log 550 isupdated, whereby the data migration log is logically deleted from thedata migration log 550.

The parity data write task is executed as explained below. The controlunit 200 overwrites data read from all the logical slots to the memoryin the RAID controller 1005 with the write data received from the client1002 and recalculates parity data (step S570). The control unit 200determines whether the cPSLOT is in failure (step S571). When the cPSLOTis in failure, the control unit 200 ends the task without writing theparity data. When the cPSLOT is not in failure, the control unit 200determines whether the cPSLOT is in the data migrating state (stepS572). When the cPSLOT is not in the data migrating state, the controlunit 200 writes the parity data in the cSLBA of the slot cPSLOT (stepS573). When the cPSLOT is in the data migrating state, the control unit200 writes the parity data in the cSLBA of the data migrationdestination storage unit of the data migration source storing unit andthe data migration destination source unit allocated to the slot cPSLOT(step S574). The control unit 200 records the cSLBA and a sector size inthe data migration log area 550 of the data migration destinationstorage unit as a data migration log. When data migration logs ofcontinuous LBAs before and after the cSLBA and overlapping LBA arepresent in the data migration log 550, the control unit 200 writes adata migration log obtained by combining the data migration logs in thedata migration log area 550 and deletes the combination source datamigration logs from the data migration log 550 (step S575).

In this way, the control unit 200 transmits, in response to a writerequest from the client, the write command of the SLBA to the storageunits 2A, 2C, and 2D allocated to the logical slots 0, 2, and 3 not inthe data migrating state. On the other hand, for the logical slot 1under the data migration, the control unit 200 does not transmit a writecommand to the data migration source storage unit 2B, transmits a writecommand to the data migration destination storage unit 3, and records adata migration log in the data migration log area 550 of the storageunit 3.

A more detailed example is shown in FIG. 67. In an example shown in FIG.67, when the logical slot 1 is in the data migrating state, the storageunit 2B is allocated as the data migration source, the storage unit 3 isallocated as the data migration destination, and the logical slots 0, 2,and 3 are in the normal state, a request for writing D(1) in the ALBA=1,writing D(7) in ALBA=7, and writing D(16) in the ALBA=16 of the storagearray device 1003 is transmitted from the client 1002.

Example 1

Upon receiving a write command for data D(1)new in the ALBA=1 from theclient 1002, the control unit 200 specifies SLBA=0 and the logical slot1 from the ALBA=1. When the logical slot 1 is not in the data migratingstate, D(1)new is written in the SLBA=0 of the storage unit 2B. However,in the present example, the logical slot 1 is in the data migratingstate. Therefore, the control unit 200 writes D(1)new in the storageunit 3. The control unit 200 reads D(0) from the storage unit 2A of thelogical slot 0 and reads D(2) from the storage unit 2C of the logicalslot 2 based on the read operation explained above, calculates newparity data P(0,2)new from D(0), D(1)new, and D(2) through exclusive OR,and stores P(0,2)new in the SLBA=0 of the storage unit 2D of the logicalslot 3. For improvement of processing speed, it is desirable that thewrite command for D(1)new to the storage unit 3, the read command forD(0) to the storage unit 2A, and the read command for D(2) to thestorage unit 2C are transmitted from the control unit 200 in parallel.Further, it is desirable to, at a point when the read of D(0) and D(2)is completed, calculate P(0<2)new and transmit the write command to thestorage unit 2D without waiting for the completion of the write of D(1).The control unit 200 records, in the data migration log area 550 of thestorage unit 3, (SLBA, sector count), which indicates an SLBA and asector count in which write is performed in the storage unit 3. Forexample, in this example, write is performed in an SLBA area of onesector from the SLBA=0 of the storage unit 3. Therefore, (0, 1) isadditionally written in the data migration log area 550. As explainedabove, when continuous LBA areas and overlapping LBA areas are alreadyrecorded in the data migration log area 550, an SLBA area obtained bymerging the LBA areas is recorded in the data migration log area 550.When write is performed in a logical slot not in the data migratingstate, update of the data migration log 550 is not performed.

Example 2

Upon receiving a write command for new data D(7)new for the ALBA=7 fromthe client 1002, the control unit 200 specifies the SLBA=2 and thelogical slot 2 from the ALBA=7. Because the logical slot 2 is not in thedata migrating state, D(7)new is written in the SLBA=0 of the storageunit 2B. The control unit 200 performs read of D(6) and D(8) from thelogical slot 0 and the logical slot 3 based on the read operation,calculates parity data P(6, 8)new, and stores the parity data P(6, 8)newin the logical slot 1. Because the logical slot 1 is in the datamigrating state, the control unit 200 writes P(6, 8)new in the storageunit 3 rather than the storage unit 2B and records (SLBA, sectorcount)=(2, 1), which indicates an SLBA and a sector count in which writeis performed in the storage unit 3, in the data migration log area 550of the storage unit 3.

Example 3

Upon receiving a write command for new data D(16)new for the ALBA=16from the client 1002, the control unit 200 specifies the SLBA=5 and thelogical slot 1 from the ALBA=16. In the present example, because thelogical slot 1 is in the data migrating state, the control unit 200writes D(16)new in the storage unit 3. The control unit 200 reads D(15)from the storage unit 2A of the logical slot 0 and reads D(17) from thestorage unit 2D of the logical slot 2 based on the read operation,calculates new parity data P(15, 17)new from D(15), D(16)new, and D(17)through exclusive OR, and stores P(15, 17)new in the SLBA=5 of thestorage unit 2C of the logical slot 2. The control unit 200 records, inthe data migration log area 550 of the storage unit 3, (SLBA, sectorcount), which indicates an SLBA and a sector count in which write isperformed in the storage unit 3. For example, in this example, write isperformed in an LBA area of one sector from the SLBA=5 of the storageunit 3. Therefore, (5, 1) is additionally written in the data migrationlog area 550. As explained above, when continuous SLBA areas andoverlapping SLBA areas are already recorded in the data migration logarea 550, an SLBA area obtained by merging the SLBA areas is recorded inthe data migration log area 550. When write is performed in a slot notin the data migrating state, update of the data migration log 550 is notperformed. In this way, as in the second embodiment, every time a writerequest is received from the client 1002, data of an SLBA correspondingto the write request is written in the data migration destinationstorage unit 3 rather than the data migration source storage unit 2B anda data migration log is recorded. Consequently, it is possible tosimultaneously perform new data write and data migrating operations.

Background Backup

During idling when, for example, a command is not received from theclient 1002 for a fixed time or more or when a standby mode transitionrequest is received from the client 1002, the control unit 200 performsbackground backup from the storage unit 2 to the storage unit 3. Thecontrol unit 200 reads the data migration log area 550 of the storageunit 3, performs read from the storage unit 2B to an SLBA not recordedin the data migration log area 550, writes the data in the storage unit3, and stores the SLBA and a sector size of write data in the datamigration log area 550 of the storage unit 3 to perform the backgroundbackup. In the storage of the SLBA in the data migration log 550, whencontinuous SLBA areas are present or when overlapping SLBA areas arepresent, it is desirable that an SLBA area obtained by merging the SLBAareas is stored in the data migration log 550 and the SLBA areas beforethe merging are deleted from the data migration log area 550.

To reduce a data size of a data migration log stored in the datamigration log area 550 and to perform data migration end determinationexplained below at high speed, it is desirable that the backgroundbackup is preferentially performed for un-migrated fragmented SLBA areasamong SLBA areas other than the SLBA area registered in the datamigration log 550. The control program 200 backs up the un-migratedfragmented SLBA area and subjects the un-migrated fragmented LBA area todata migration to thereby store a newly migrated SLBA area in the datamigration log 550 as an SLBA area formed by merging the newly migratedSLBA area with a migrated SLBA area continuously located before andafter the newly migrated SLBA area.

Monitoring of a Data Migration State

The control unit 200 reads the data migration log area 550 to monitor adata migration state of a logical slot under data migration. FIG. 68shows a monitoring procedure for monitoring a data migration state usinga data migration log. For example, the control unit 200 reads a datamigration log from the data migration log area 550 every time apredetermined time elapses (steps S600 and S601). When all migrationtarget SLBAs are included in the data migration log 550, the controlunit 200 determines that the data migration is completed. For example,when all SLBAs of the data migration source storage unit 2B are includedin the data migration log 550, the control unit 200 determines that thedata migration is completed (step S602). As the determination of thecompletion of the data migration, for example, the control unit 200 candetermine whether all SLBAs of the data migration destination storageunit 3 are included in the data migration log 550.

When the control unit 200 determines that the data migration iscompleted, the control unit 200 changes a status of the data migrationsource storage unit 2 to the discard target state of 5 and changes astatus of the data migration destination storage unit 3 to the normalstate of 1 (step S603) to end a data migration state of the logical slot1 and end the data migration state monitoring for the logical slot 1. Interms of reducing the power consumption of the storage unit 2B, it isdesirable that the control unit 200 transmits a transition request tothe low power consumption mode to the storage unit 2. After the end ofthe data migrating state, it is desirable that the control unit 200notifies, through the display 9 or the LED set near the port, the useror the administrator to detach the storage unit 2B from the interface 19or controls the storage load/unload apparatus to detach the storage unit2B from the interface 19.

Transition of Entire Statuses

FIG. 69 shows transition of statuses of the storage units that occurswhen the storage unit 2B has reached the life end. When all the storageunits 2A to 2D are in the normal state, statuses of all the storageunits 2A to 2D are 1 and the storage unit 3 is unconnected to thestorage interface 1007 (step 1). When the control unit 200 determinesthat the storage unit 2B has reached the life end, the control unit 200changes a status of the storage unit 2B to 2 (step 2). The storage unit3, which is a new storage unit, is connected to the storage interface1007 based on a notification or a command from the control unit 200(step 3). When the storage unit 3 is connected, the control unit 200changes the status of the data migration source storage unit 2B to 3 andchanges a status of the data migration destination storage unit 3 to 4to shift a state of the logical slot 1 to the data migrating state (step4). When the control unit 200 determines based on information read fromthe data migration log area 550 that all valid data of the storage unit2B is migrated to the storage unit 3, the control unit 200 changes thestatus of the storage unit 2B to 5 and changes the status of the storageunit 3 to 1. Thereafter, the storage unit 2A, the storage unit 3, thestorage unit 2C, and the storage unit 2D behave as if the storage unit2A, the storage unit 3, the storage unit 2C, and the storage unit 2D arethe original storage unit 2A, the original storage unit 2B, the originalstorage unit 2C, and the original storage unit 2D (the processingreturns to step 1). Thereafter, when it is further determined that anyone of the storage unit 2A, the storage unit 3, the storage unit 2C, andthe storage unit 2D has reached the life end, the same steps 2 to 5 arerepeated. In this way, even when any one of the storage units of thestorage array device 1003 has reached the life end, is about to reachthe life end, or is about to fail, it is possible to easily migrate dataof the storage unit to a new storage unit according to this embodiment.In this embodiment, because the data migrating operation is performed inthe background, it is possible to suppress performance deterioration dueto the backup operation.

A Data Migrating State of One Storage Unit and a Failure of AnotherStorage Unit Simultaneously Occur

In an example shown in FIG. 70, a data migrating state of one storageunit and a failure of another storage unit simultaneously occur. In anexample shown in FIG. 70, when the logical slot 1 is in the datamigrating state, the storage unit 2B is allocated as the data migrationsource, the storage unit 3 is allocated as the data migrationdestination, and the logical slots 0, 2, and 3 are in the normal state,a failure occurs in the storage unit 2D of the logical slot 3.

In the case of read from the SLBA=0, data restoration is unnecessary forread of D(0) of the logical slot 0 and D(2) of the logical slot 2. Readof D(1) of the logical slot 1 can be realized by reading D(1)new, whichis the latest data, from the data migration destination storage unit 3.In the case of read from the SLBA=2, data restoration is unnecessary forread of D(6) of the logical slot 0 and D(7) of the logical slot 2. Readof D(8) of the logical slot 3 can be realized by restoring data byexclusive ORing D(6) and D(7) and P(6, 8)new from the data migrationdestination storage unit 3. In the case of read from the SLBA=5, datarestoration is unnecessary for read of D(15) of the logical slot 0. Readof D(16) of the logical slot 1 can be realized by reading D(16)new,which is the latest data, from the data migration destination storageunit 3. Read of D(17) of the logical slot 3 can be realized by restoringdata by exclusive ORing D(15), D(16) new of the data migrationdestination storage unit 3, and P(15, 17)new of the logical slot 2.

Data Migrating States of Two Storage Units and a Failure of One StorageUnit Simultaneously Occur

In an example shown in FIG. 71, data migrating states of two storageunits and a failure of another storage unit simultaneously occur. In anexample shown in FIG. 71, when the logical slot 1 and the logical slot 2are in the data migrating state, the storage units 2B and 2C areallocated as data migration sources, storage units 3B and 3C areallocated as data migration destinations, and the logical slots 0 and 3are in the normal state, a failure occurs in the storage unit 2D of thelogical slot 3.

In the case of read from the SLBA=0, data restoration is unnecessary forread of D(0) of the logical slot 0 and D(2) of the logical slot 2, readof D(1) of the logical slot 1 can be realized by reading D(1)new fromthe data migration destination storage unit 3B. In the case of read fromthe SLBA=2, data restoration is unnecessary for read of D(6) of thelogical slot 0. Read of D(7) of the logical slot 2 can be realized byreading D(7)new, which is the latest data, from the data migrationdestination storage unit 3C. Read of D(8) of the logical slot 3 can berealized by restoring data by exclusive ORing D(6), D(7)new, and P(6,8)new. In the case of read from the SLBA=5, data restoration isunnecessary for read of D(15) of the logical slot 0. Read of D(16) ofthe logical slot 1 can be realized by reading D(16)new, which is thelatest data, from the data migration destination storage unit 3B. Readof D(17) of the logical slot 3 can be realized by restoring data byexclusive ORing D(15), D(16)new of the data migration destinationstorage unit 3B, and P(15, 17)new of the data migration destinationstorage unit 3C of the logical slot 2.

A Data Migrating State of One Storage Unit and a Data Read InabilityError Simultaneously Occur

In an example shown in FIG. 72, a read error such as an uncorrectableECC error (UECC error) occurs in one storage unit during data migration.

Example 1

Upon receiving a read command for data D(2) for the ALBA=2, the controlunit 200 specifies the SLBA=0 and the logical unit 2 from the ALBA=2.When a UECC error occurs in read of the data D(2) from the storage unit2C of the logical slot 2, D(2) can be restored by exclusive ORingD(1)new of the data migration destination storage unit 3 and P(0, 2)newof the logical slot 3.

Example 2

Upon receiving a read command for new data D(8) for ALBA=8 from theclient 1002, the control unit 200 specifies the SLBA=2 and the logicalslot 3 from the ALBA=8. When an UECC error occurs in read of the dataD(8) from the storage unit 2D of the logical slot 3, D(8) can berestored by exclusive ORing D(6), D(7)new, and P(6, 8)new of the storageunit 3.

Example 3

Upon receiving a read command for new data D(9) for ALBA=9 from theclient 1002, the control unit 200 specifies the SLBA=3 and the logicalslot 1 from the ALBA=9. When a UECC error occurs in read of the dataD(9) from the storage unit 2B of the logical slot 1, D(9) can berestored by exclusive ORing D(10), D(11), and P(9, 10).

Fourth Embodiment

In a fourth embodiment, the present invention is applied to theinformation processing system 1 including a storage network. In thisembodiment, the information processing system 1 is configured as shownin FIG. 73. The information processing system 1 can be configured asshown in FIG. 74. As shown in FIG. 73, the information processing system1 in this embodiment includes the storage unit 2, the storage unit 3,one or a plurality of other storage units 6004, one or a plurality ofmetadata servers 6003, a server 6001, a storage network 1000 configuredto connect the storage unit 2, the storage unit 3, the storage unit6004, the metadata server 6003, and the server 6001 one another, one ora plurality of clients 6002, and a network 6000 configured to connectthe server 6001 and the client 6002 each other. In the case of FIG. 74,the storage network 1000 is connected to a storage network 6001 b via achannel extender and a long-distance network such as a WAN. The storageunit 3 is connected to the storage network 6001 b.

The storage units 2 and 3 include the status management areas 510. Thestorage units 2 and 3 can include the data migration target managementareas 2007 and 3007 (see FIG. 32) same as those in the first embodimentor can include the logical drive ID management areas 520 same as thosein the second embodiment. As explained above, the status managementareas 510 respectively indicate that the storage units correspondingthereto are in the following states:

0: initial storage state

1: normal state

2: low reliability state

3: data migration source state (protected state)

4: data migration destination state

5: discard target state

The metadata server 6003 includes the main memory 6 configured to storesthe OS 100, the control unit 200, the metadata 300, and the logicaldrive status table 450 same as those in the first embodiment and the CPU5, which is an arithmetic unit configured to execute the OS 100 and thecontrol unit 200. The metadata server 6003 plays functions equivalent tothe OS 100 and the control unit 200 of the information processing device111 in the first embodiment. The metadata 300 stored in the main memory6 of the metadata server 6003 has, for example, a structure shown inFIG. 33. Metadata on the main memory 6 and a journal of the metadata arebacked up in a nonvolatile storage unit in the metadata server 6003, anonvolatile storage unit in the storage network 1000, the storage unit2, the storage unit 3, and the like. The logical drive status table 450has, for example, a structure shown in FIG. 40. The logical drive statustable 450 indicates that the logical drive is in the normal state or thedata migrating state. For example, upon receiving a file ID from theserver 6001, the metadata server 6003 retrieves the file ID from themetadata area 300 and specifies a logical drive address, a storage unitidentification name, which is a storage unit address, an LBA, a sectorcount, and the like. As the storage unit identification name, which isthe storage unit address, for example, an IP (Internet Protocol)address, a MAC (Media Access Control) address, or a WWN (World WideName) can be used. The status tables 510 store statuses of the storageunits 2 and 3 connected to the storage network 1000.

The logical drive status table 450 can be structured as shown in FIG.41. A status table 650 shown in FIG. 75 can be stored in the main memory6 of the metadata server 6003. The logical drive status table 450 doesnot have to be stored in the main memory 6. In the status table 650, alogical drive address, a storage unit identification name, a logicaldrive status, and a storage status are managed. The status table 650 isused instead of the logical drive status table 450 and the statusmanagement areas 510. Then, the status management areas 510 in thestorage units 2 and 3 are unnecessary. In FIG. 75, a logical driveaddress B includes two storage units, storage unit identification namesof which are b1 and b2. The storage units are in the data migratingstate. The storage unit having the storage unit identification name b1is a data migration source. The storage unit having the storage unitidentification name b2 is a data migration destination.

The storage network 1000 is a network for a storage access. For example,a Fibre Channel or an Ethernet (registered trademark) is used. Inparticular, as the storage network 1000, for example, a SAN (StorageArea Network) or a NAS (Network Attached Storage) is used. As the SAN,for example, an FC-SAN (Fibre Channel Storage Area Network) or an IP-SAN(Internet Protocol Storage Area Network) is used. As an upper layerprotocol of the SAN, for example, a SCSI (Small Computer SystemInterface) is used. In an example explained in this embodiment, an iSCSIis used as the upper layer protocol. The storage network 1000 includesthe network switch 6009 and a hub (not shown in the figure).

The network 6000 is a network for allowing a client to access the server6001 and use various services. For example, a Fibre Channel or anEthernet (registered trademark) is used as the network 6000. Forexample, there are a WAN, a LAN, and the like as the network 6000. Thenetwork 6000 includes a network switch (not shown in the figure) and ahub (not shown in the figure).

The client 1002 is a computer connected to the network 6000 andconfigured to carry out desired processing. The client 1002 typicallyincludes hardware resources such as a processor, a main memory, acommunication interface, and a local input/output device. Further, theclient 1002 includes software resources such as a device driver, anoperating system (OS), and the application program 400 (not shown in thefigure). Consequently, the client 1002 executes various programs underthe control by the processor and realizes processing in cooperation withthe hardware resources. For example, the client 1002 executes a businessapplication program under the control by the processor to therebyI/O-access the server 6001 through the network 6000 and realize adesired business system.

The server 6001 is a computer connected to the storage network 1000 andthe network 6000 and configured to carry out desired processingaccording to a request from the client 1002. The server 6001 typicallyincludes hardware resources such as a processor, a main memory, acommunication interface, and a local input/output device. Further, theserver 6001 includes software resources such as a device driver, anoperating system (OS), and an application program (not shown in thefigure). Consequently, the server 6001 executes various programs underthe control by the processor and realizes processing in cooperation withthe hardware resources. For example, the server 6001 executes anapplication service program under the control by the processor inresponse to a request from the client 1002 to thereby I/O-access thestorage unit 2, the storage unit 3, or the storage unit 6004 through thestorage network 6000 and realize a desired application service program.

For example, upon receiving a file data read request and a file ID fromthe client 6002, the server 6001 transmits the file ID to the metadataserver 6003, receives a storage unit address such as an IP address, aMAC address, or a WWN and an LBA of a storage unit in which a file fromthe metadata server 6003 is stored, transmits a packet designating thestorage unit address to the storage network 1000 to transmit a readcommand to the storage unit, receives read data from the storage unit,and transmits the read data to the client 1002. For example, uponreceiving a file data write request and a file ID from the client 1002,the server 6001 transmits the file ID to the metadata server 6003,receives a storage unit address and an LBA of a storage unit in which afile from the metadata server 6003 should be stored, receives write datafrom the client 6002, and transmits the data to the storage unit towrite the data. The server 6001 can be a database server (DB server),which is a server on which a database management system (DBMS) isoperating.

Processing for Determining Life End

When started, the control unit 200 monitors reliability information suchas the statistical information 65 concerning the storage unit 2. Forexample, as shown in FIG. 24, the control unit 200 acquires thestatistical information 65 from the storage unit 2 at every fixed time(e.g., every one minute) or in each fixed number of times of processing.As in the first embodiment, the control unit 200 determines, based onthe acquired reliability information, whether the storage unit 2 hasreached the life end. When the control unit 200 determines that thestorage unit 2 has reached the life end, the control unit 200 executeslife end processing explained below.

Life End Processing

When the connected storage unit 2 has reached the life end or is aboutto reach the life end and the life end processing is started, afterchanging the status 510 of the storage unit 2 to the storage status=2(the low reliability state), the control unit 200 displays a message forurging connection of a new storage unit on the display 9 and the like ofthe metadata server 6003, the server 6001, and the client 6002. When thenew storage unit 3 is connected, the control unit 200 rewrites thestatus 510 of the storage unit 3 of the status table 450 to the storagestatus=4 (the data migration destination state) and further rewrites thestatus 510 of the storage unit 2 to the storage status=3 (the protectedstate). The control unit 200 causes the OS 100 to recognize the storageunit 2 and the storage unit 3 as one logical drive 4. The control unit200 rewrites a status of the logical drive 4 stored in the logical drivestatus table 450 or the status table 650 on the main memory 6 from the“normal state” to the “data migrating state”.

Read from the Logical Drive in the Data Migrating State

Upon receiving a read request and a file ID from the client 6002, theserver 6001 transmits the file ID to the metadata server 6003. Themetadata server 6003 specifies the logical drive 4 corresponding to thefile ID from the metadata 300, reads the logical drive status table 450and the status table 650 from the main memory 6, and recognizes that astatus of the specified logical drive 4 is the data migrating state. Themetadata server 6003 acquires, from the metadata 300, a storage unitaddress and an LBA of the storage unit 2 or 3 in which a file designatedby the file ID is stored and transmits the acquired storage unit addressand the acquired LBA to the server 6001. The server 6001 transmits apacket designating the received storage unit address and the receivedLBA to the storage network 1000 to transmit a read command to thestorage unit 2 or 3, receives read data from the storage unit, andtransmits the read data to the client 1002.

Write in the Logical Drive

For example, upon receiving a file data write request and a file ID fromthe client 1002, the server 6001 transmits the file ID to the metadataserver 6003. The metadata server 6003 determines a status of the logicaldrive 4 from the logical drive status table 450 or the status table 650and recognizes the logical drive 4 as being in the normal state. Then,the metadata server 6003 reads the metadata 300 from the main memory 6and allocates an LBA for data write referring to the metadata 300. Themetadata server 6003 transmits the LBA and a storage unit address and anLBA of the storage unit 2 to the server 6001. The server 6001 transmitsa packet designating the received storage unit address and the receivedLBA to the storage network 1000 to transmit a write command to thestorage unit 2 and stores write data in the storage unit 2. The controlunit 200 rewrites the metadata 300 and maps an LBA and a sector count ofthe write data to the storage unit 2 and a write file ID.

When the control unit 200 recognizes the logical drive 4 as being in thedata migrating state, the control unit 200 reads the metadata 300 fromthe main memory 6 and allocates an LBA for data write referring to themetadata 300. The metadata server 6003 transmits the LBA and a storageunit address and an LBA of the storage unit 3 to the server 6001. Theserver 6001 transmits a write request packet designating the receivedstorage unit address and the received LBA of the storage unit 3 to thestorage network 1000 to transmit a write command to the storage unit 3and stores write data in the storage unit 3. The control unit 200updates the metadata 300, invalidates the mappings from the file ID tothe storage unit 2, and maps the file ID to the storage unit 3, thewritten LBA and a sector count to realize data migration from thestorage unit 2 to the storage unit 3 using write in the storage unit 3.

Background Backup

When the logical drive 4 is in a status of the data migrating state inthe logical drive status table 450, the control unit 200 can performbackground backup from the data migration source storage unit 2 to thedata migration destination storage unit 3 when an access to the logicaldrive 4 by the client 6002 hardly takes place (during idling). Thecontrol unit 200 reads the metadata 300 from the main memory 6 andsearches for a file ID mapped to the storage unit 2. If a file mapped tothe storage unit 2 is present, the control unit 200 transmits a readcommand to the storage unit 2 via the server 6001 to perform read froman LBA of the file and receives read data. The control unit 200transmits a write command and the read data to the LBA of the storageunit 3, performs write, rewrites the metadata 300 on the main memory 6,invalidates mappings from the file ID to the storage unit 2, and mapsthe file ID to the storage unit 3.

Server-free backup (server-less backup) can be adopted as a backgroundbackup operation of the control unit 200. In that case, for example, anextended copy command can be used. As the extended copy command, forexample, a 83h EXTENDED COPY command described in SCSI PrimaryCommands-4 (SPC-4), INCITS T10/1731-D, Revision 36e(http://www.t10.org/) can be used. The control unit 200 transmits anextended copy command including a backup target LBA and an address ofthe storage unit 3 to the storage unit 2. Then, the storage unit 2 readsdata from the LBA and transmits the read data to the storage unit 3. Thestorage unit 3 writes reception data in the LBA.

Data Migration Completion Time

In the logical drive status table 450, when a status of the logicaldrive 4 is the “data migrating state”, the control unit 200 periodicallyreads the metadata 300 on the main memory 6 and periodically checkswhether a migration target file ID mapped to the storage unit 2 ispresent. For example, the control unit 200 periodically checks whether amigration target file ID mapped to the storage unit 2 is present amongfile IDs of all files stored in the logical drive 4. When the migrationtarget file ID is absent, the control unit 200 rewrites the status 510of the data migration destination storage unit 3 to the storage status=1(the normal state) and rewrites the status 510 of the data migrationsource storage unit 2 to the storage status=5 (the discard targetstate). The control unit 200 separates the storage unit 2 from thelogical drive 4, recognizes the storage unit 3 as the logical drive 4,and rewrites a status of the logical drive 4 in the logical drive statustable 450 or the status table 650 from the “data migrating state” to the“normal state”.

As explained above, in the data migrating state, in data write in thelogical drive 4, a write command is not transmitted to the datamigration source storage unit 2 and is transmitted to the data migrationdestination storage unit 3. Data read from the logical drive 4 isexecuted from the storage unit 2 or 3. In the logical drive 4, everytime a write request is received from the client 6002, valid data storedin the storage unit 2 is gradually migrated to the storage unit 3. A newdata write operation also serves as a data migrating operation.

Fifth Embodiment

In a fifth embodiment, the present invention is applied to theinformation processing system 1 including a plurality of data centers(DCs) and a long-distance network configured to connect the data centers(DCs). In this embodiment, the information processing system 1 isconfigured as shown in FIG. 76. In this embodiment, the informationprocessing system 1 includes a data migration source data center 3002(storage unit 3002), a data migration destination data center 3003(storage unit 3003), a data center 3005, which is another data center, aserver 3006, a data center management server 3007, and a long-distancenetwork 3000 configured to connect the devices. In this embodiment, thedata center management server 3007 recognizes the data center 3002 as alogical data center 3004 functioning as a logical unit. When the datacenter 3002 is deteriorated in reliability, the data center managementserver 3007 recognizes the data center 3002 and the data center 3003 asthe logical data center 3004.

The data centers 3002 and 3003 include the status management areas 510.The storage units 3002 and 3003 can include the data migration targetmanagement areas 2007 and 3007 corresponding to the data migrationtarget management areas 2007 and 3007 (see FIG. 32) in the firstembodiment. The storage units 3002 and 3003 can include the logical datacenter ID management areas 520 corresponding to the logical drive IDmanagement areas 520 in the second embodiment. As explained above, thestatus management areas 510 indicate that storage units correspondingthereto are in the following states:

0: initial storage state

1: normal state

2: low reliability state

3: data migration source state (protected state)

4: data migration destination state

5: discard target state

The data center management server 3007 includes the main memory 6 thatstores the OS 100, the control unit 200, the metadata 300, and a logicaldata center status table 450 same as those in the first embodiment andthe CPU 5, which is an arithmetic unit configured to execute the OS 100and the control unit 200. The data center management server 3007 playsfunctions equivalent to the OS 100 and the control unit 200 of theinformation processing device 111 in the first embodiment. The metadata300 stored in the main memory 6 of the data center management server3007 has, for example, a structure shown in FIG. 33. Metadata on themain memory 6 and a journal of the metadata are backed up in anonvolatile storage unit in the data center management server 3007 andthe data centers 3002, 3003, and 3005 in the long-distance network 3000.The logical data center status table 450 has, for example, a structureshown in FIG. 41. The logical data center status table 450 indicatesthat the logical data center 3004 is in the normal state or the datamigrating state. For example, upon receiving a file ID from the server3006, the data center management server 3007 retrieves the file ID fromthe metadata area 300 and specifies a logical data center ID, a datacenter ID, an LBA, a sector count, and the like corresponding to thefile ID. The status tables 510 store statuses of the data centers 3002and 3003.

Besides configuring the logical data center status table 450 in thestructure shown in FIG. 41, the status table 650 shown in FIG. 75 can beadopted as the data center management server 3007. In the status table650, a logical data center ID, a data center ID, a logical data centerstatus, and a data center status are managed. In this case, the statusmanagement areas 510 in the storage units 2 and 3 are unnecessary. Thecontrol unit 200 can manage migration of data from the data center 3002to the data center 3003 using, instead of the metadata area 300, a datamigration log storage area as in the second embodiment.

Processing for Determining Life End

When started, the control unit 200 monitors the reliability informationconcerning the data center 3002. For example, as shown in FIG. 24, thecontrol unit 200 acquires the statistical information 65 from the datacenter 3002 at every fixed time (e.g., every one minute) or in eachfixed number of times of processing. As in the first embodiment, thecontrol unit 200 determines, based on the acquired statisticalinformation 65, whether the data center 3002 has reached the life end.When the control unit 200 determines that the data center 3002 hasreached the life end, the control unit 200 executes life end processingexplained below.

Life End Processing

When the connected data center 3002 has reached the life end or is aboutto reach the life end and the life end processing is started, afterchanging the status 510 of the data center 3002 to the data centerstatus=2 (the low reliability state), the control unit 200 displays amessage for urging connection of a new data center on a display of thedata center management server 3007 and the like. When the new datacenter 3003 is connected, the control unit 200 rewrites the status 510of the data center 3003 of the status table 450 to the data centerstatus=4 (the data migration destination state) and further rewrites thestatus 510 of the data center 3002 to the data center status=3 (theprotected state). The control unit 200 causes the OS 100 to recognizethe data center 3002 and the data center 3003 as one logical data center3004. The control unit 200 rewrites a status of the logical data centerstatus table 450 on the main memory 6 from the “normal state” to the“data migrating state”.

(Read from the Logical Data Center in the Data Migrating State)

Upon receiving a read request and a file ID from the server 3006, thedata center management server 3007 specifies the logical data center3004 corresponding to the file ID from the metadata 300, reads thelogical data center status table 450 from the main memory 6, andrecognizes that a status of the specified logical data center 3004 isthe data migrating state. The data center management server 3007acquires, from the metadata 300, a data center address and an LBA of thedata center 3002 or 3003 in which a file designated by the file ID isstored and transmits the acquired data center address and the acquiredLBA to the server 3006. The server 3001 transmits a packet designatingthe received data center address and the received LBA to the network3000 to transmit a read command to the data center 3002 or 3003, andreceives read data from the data center 3002 or 3003.

Write in the Logical Data Center

Upon receiving a write request and a file ID from the server 3006, thedata center management server 3007 determines a status of the logicaldata center 3004 from the logical data center status table 450 andrecognizes the logical data center 3004 as being in the normal state.Then, the data center management server 3007 reads the metadata 300 fromthe main memory 6 and allocates an LBA for data write referring to themetadata 300. The data center management server 3007 transmits the LBAand a data center ID and an LBA of the data center 3002 to the server3006. The server 3006 transmits a packet designating the received datacenter ID and the received LBA to the network 3000 to transmit a writecommand to the data center 3002 and stores write data in the data center3002.

When the data center management server 3007 recognizes the logical datacenter 3004 as being in the data migrating state, the data centermanagement server 3007 reads the metadata 300 from the main memory 6 andallocates an LBA for data write referring to the metadata 300. The datacenter management server 3007 transmits the LBA and a data center ID andan LBA of the data center 3003 to the server 3006. The server 3006transmits a packet designating the received data center ID and thereceived LBA of the data center 3003 to the network 3000 to transmit awrite command to the data center 3003 and stores write data in the datacenter 3003.

Background Backup

When the logical data center 3004 is in a status of the data migratingstate in the logical drive status table 450, the control unit 200 canperform background backup from the data migration source data center3002 to the data migration destination data center 3003 when an accessto the logical data center 3004 by the server 3006 hardly takes place(during idling). The control unit 200 reads the metadata 300 from themain memory 6 and searches for a file ID mapped to the data center 3002.If a file mapped to the data center 3002 is present, the control unit200 transmits a read command to the data center 3002 via the server 3006to perform read from an LBA of the file and receives read data from thedata center 3002. The control unit 200 transmits a write command and theread data to the LBA of the data center 3003, performs write, rewritesthe metadata 300 on the main memory 6, and maps the file ID to the datacenter 3003.

Server-free backup can be adopted as a background backup operation ofthe control unit 200. In that case, for example, an extended copycommand can be used. As the extended copy command, for example, a 83hEXTENDED COPY command described in SCSI Primary Commands-4 (SPC-4),INCITS T10/1731-D, Revision 36e (http://www.t10.org/) can be used. Thecontrol unit 200 transmits an extended copy command including a backuptarget LBA and an ID of the data center 3003 to the data center 3002.Then, the data center 3002 reads data from the LBA and transmits theread data to the data center 3003. The data center 3003 writes receptiondata in the LBA.

Data Migration Completion Time

In the logical drive status table 450, when a status of the logical datacenter 3004 is the “data migrating state”, the control unit 200periodically reads the metadata 300 on the main memory 6 andperiodically checks whether a migration target file ID mapped to thedata center 3002 is present. For example, the control unit 200periodically checks whether a migration target file ID mapped to thedata center 3002 is present among file IDs of all files stored in thelogical data center 3004. When the migration target file ID is absent,the control unit 200 rewrites the status 510 of the data migrationdestination data center 3003 to the data center status=1 (the normalstate) and rewrites the status 510 of the data migration source datacenter 3002 to the data center status=5 (the discard target state). Thecontrol unit 200 separates the data center 3002 from the logical datacenter 3004, recognizes the data center 3003 as the logical data center3004, and rewrites a status of the logical data center 3004 from the“data migrating state” to the “normal state” in the logical drive statustable 450.

As explained above, during the data migration, in data write in thelogical data center 3004, a write command is not transmitted to the datamigration source data center 3002 and is transmitted to the datamigration destination data center 3003. Data read from the logical datacenter 3004 is executed from the data center 3002 or 3003. In thelogical data center 3004, every time a write request is received fromthe server 3006, valid data stored in the data center 3002 is graduallymigrated to the data center 3003. A new data write operation also servesas a data migrating operation.

Sixth Embodiment Relay Unit

In the first and second embodiments, when the control unit 200determines that the storage unit 2 has reached the life end, is about toreach the life end, or is about to fail or determines that the storageunit 2 is deteriorated in reliability, the control unit 200 processes awrite request to prevent write in the storage unit 2. Consequently, itis possible to suppress further deterioration in the reliability of thestorage unit 2 and prevent a loss of new write data. To safely limitdata write in the storage unit 2, it is desirable to prevent theinformation processing device, the client, and the server fromspontaneously performing write in the storage unit. In this embodiment,the information processing system includes a relay unit 5000. Thecontrol unit 200 in the relay unit 5000 monitors reliability informationsuch as statistical information of the storage unit 2. When the relayunit 5000 determines that the storage unit 2 has reached the life end,is about to reach the life end, or is about to fail or the storage unit2 is deteriorated in the reliability, the control unit 200 notifies theinformation processing device 111, the client, and the server ofinformation indicating that the storage unit 2 is a read only device tothereby prevent the information processing device 111, the client, andthe server from spontaneously perform write in the storage unit 2. Thisembodiment can be carried out independently. On the other hand, whenthis embodiment is combined with the first embodiment, the secondembodiment, or the like, it is possible to more robustly suppress writein the storage unit 2 deteriorated in the reliability. For example, whenthis embodiment is combined with the first embodiment, the secondembodiment, or the like, the relay unit 5000 transmits storage unitinformation indicating that the storage unit 2 is a storage unit thatsupports only read of read and write. The CPU 5 and the control unit 200stored in the main memory 6 recognize the storage unit 2 as a read onlystorage unit and recognize the storage unit 2 as being in the protectedstate (the data migration source state).

FIG. 77 is an example in which the relay unit 5000 is mounted on theinformation processing system 1 such as a desktop personal computer or anotebook personal computer. The relay unit 5000 can be mounted insidethe information processing device 111 or can be mounted outside theinformation processing device 111. The relay unit 5000 is connected tothe storage unit 2 via the interface 19 and connected to the CPU 5 viaan interface 5001 and the chip set 7. The relay unit 5000 can bedirectly connected to the CPU 5 not via the chip set 7. The relay unit5000 can be embedded in the chip set 7.

The relay unit 5000 includes the control unit 200. As shown in FIG. 77,the entire control unit 200 is included in the relay unit 5000. As shownin FIG. 78, a part of the control unit 200 can be included in the relayunit 5000 and a part of the control unit 200 can be included in the mainmemory 6. A part of the control unit 200 can be included in the relayunit 5000 and a part of the control unit 200 can be included in anothermemory section in the information processing device 111 such as the ROM11. The control unit 200 can be implemented in a form of a firmware orsoftware or can be implemented in a form of hardware.

As the interface 19 and the interface 5001, for example, a SATA (SerialAdvanced Technology Attachment), a PCI Express (Peripheral ComponentInterconnect Express, PCIe), a USB (Universal Serial Bus), a SAS (SerialAttached SCSI), a Thunderbolt (registered trademark), an Ethernet(registered trademark), and a Fibre Channel can be used. The interface19 and the interface 5001 can be interfaces of the same standard or canbe interfaces of different standards. In this embodiment, the interface19 and the interface 5000 are SATA interfaces.

In the same manner as shown in FIGS. 24 and 29 in the first embodiment,the control unit 200 determines whether the storage unit 2 has reachedthe life end, is about to reach the life end, or is about to fail. Whenthe control unit 200 determines that the storage unit 2 has reached thelife end, is about to reach the life end, or is about to fail, as shownin FIG. 79, the control unit 200 transitions from the normal state tothe low reliability state to perform the life end processing (stepS800). The normal state and the low reliability state are modes of thecontrol unit 200. When the storage unit 2 is normal, the control unit200 operates in the normal state. When the control unit 200 determineswhether the storage unit 2 has reached the life end, is about to reachthe life end, or is about to fail or the storage unit 2 is deterioratedin the reliability, the control unit 200 operates in the low reliabilitystate. As in the first embodiment, the life end determination is carriedout at every fixed time, in each fixed number of times of processing, orevery transmission and reception of fixed data as shown in FIG. 24 orwhen a command response received from the storage unit 2 is an errorresponse as shown in FIGS. 29 and 30.

The control unit 200 transmits a command and data received from the CPU5 via the interface 5001 to the storage unit 2 through the interface 19.The control unit 200 transmits a response and data received from thestorage unit 2 through the interface 19 to the CPU 5 through theinterface 5001. When protocols of the interface 5001 and the interface19 are different, after performing protocol transformation, the controlunit 200 transmits the command, the response, and the data after thetransformation to the CPU 5 and the storage unit 2. When transmittingstorage unit information of the storage unit 2 to the CPU 5, the controlunit 200 switches the storage unit information according to whether thecontrol unit 200 is in the normal state or the low reliability state.That is, in the normal state, the control unit 200 transmits storageunit information indicating that the storage unit 2 is a readable andwritable storage unit to the CPU 5. In the low reliability state, thecontrol unit 200 transmits storage unit information indicating that thestorage unit 2 is a readable only storage unit to the CPU 5.

Upon receiving a storage unit information request for the storage unit 2from the CPU 5, in the normal state, the control unit 200 transmits, asa response to the storage unit information request, storage unitinformation indicating that the storage unit 2 is a readable andwritable storage unit to the CPU 5. In the low reliability state, thecontrol unit 200 transmits storage unit information indicating that thestorage unit 2 is a readable only storage unit to the CPU 5. As anexample of the storage unit information request, an ECh IDENTIFY DEVICEcommand described in ACS-3, an A3h REPORT IDENTIFYING INFORMATIONcommand described in SCSI Primary Commands-4 (SPC-4), a 46h GETCONFIGURATION command described in INFORMATION TECHNOLOGY Multi-MediaCommands-6 (MMC-6) (http://www.t10.org/), and a 06h Identify commanddescribed in NVM Express Revision 1.1 are used.

FIG. 80 shows an example of a processing procedure performed when thecontrol unit 200 receives a storage unit information request for thestorage unit 2 from the CPU 5. When the control unit 200 receives astorage unit information request for the storage unit 2 from the CPU 5(step S801), the control unit 200 determines, based on whether thecontrol unit 200 is in the normal state or the low reliability state,whether the storage unit 2 is in the low reliability state (step S802).When the storage unit 2 is in the normal state, the control unit 200transmits the storage unit information request to the storage unit 2(step S803), receives storage unit information from the storage unit 2,and transmits the received storage unit information to the CPU 5 (stepS804). When the storage unit 2 is in the low reliability state, thecontrol unit 200 transmits the storage unit information request to thestorage unit 2 (step S805), receives storage unit information from thestorage unit 2, rewrites reception data to change the storage unitinformation to indicate as if the storage unit 2 is a ROM device, andtransmits the changed storage unit information to the CPU 5 (step S806).The control unit 200 can spontaneously carry out the processing at S802to S806 without receiving the storage unit information request from theCPU 5 at step S801. The control unit 200 can transmit the storage unitinformation request to the storage unit 2 between step S801 and stepS802 and does not have to transmit the storage unit information requestto the storage unit 2 at steps S803 and S805.

As shown in FIG. 81, in the low reliability state, the control unit 200can generate storage unit information indicating as if the storage unit2 is a ROM device and transmits the storage unit information to the CPU5 without transmitting a storage unit information request to the storageunit 2. That is, upon receiving a storage unit information request forthe storage unit 2 from the CPU 5 (step S810), the control unit 200determines, based on whether the control unit 200 is in the normal stateor the low reliability state, whether the storage unit 2 is in the lowreliability state (step S811). When the control unit 200 is in thenormal state, the control unit 200 transmits the storage unitinformation request to the storage unit 2 (step S812) and transmitsreceived storage unit information to the CPU 5 (step S813). When thecontrol unit 200 is in the low reliability state, the control unit 200generates storage unit information for indicating to the CPU 5 as if thestorage unit 2 is a ROM device and transmits the generated storage unitinformation to the CPU 5 (step S814) without transmitting the storageunit information request to the storage unit 2.

When operating in the normal state, as the storage unit informationindicating that the storage unit 2 is a readable and writable storageunit, it is desirable that, for example, the control unit 200 explicitlynotifies that CPU 5 that the storage unit 2 is an ATA device. Forexample, it is possible to notify the CPU 5 that the storage unit 2 isan ATA device by substituting 01h in LBA(7:0), substituting 00h inLBA(15:8), and substituting 00h in LBA(23:16) in Device Signaturedescribed in ATA/ATAPI Command Set-3 (ACS-3) and outputting the LBA(7:0), the LBA (15:8), and the LBA (23:16) to the CPU 5.

When operating in the low reliability state, as the storage unitinformation indicating that the storage unit 2 is a readable onlystorage unit, for example, the control unit 200 explicitly notifies theCPU 5 that the storage unit 2 is an ATAPI device. For example, it ispossible to notify the CPU 5 that the storage unit 2 is an ATAPI deviceby substituting 01h in LBA(7:0), substituting 14h in LBA(15:8), andsubstituting EBh in LBA(23:16) in Device Signature described in ACS-3and outputting the LBA (7:0), the LBA(15:8), and the LBA (23)16) to theCPU 5. Further, when operating in the low reliability state, forexample, upon receiving a 46h GET CONFIGURATION command described inINCITS Multi-Media Commands-6 (MMC-6) from the CPU 5 as storage unitinformation indicating that the storage unit 2 is a readable onlystorage unit, the control unit 200 informs the CPU 5 that all writefunctions are not supported in Features such as Random Writable (FeatureNumber=0020h), Incremental Streaming Writable (Feature Number=0021h),and Write Once (Feature Number=0025h). Consequently, even when the OS100 is Windows (registered trademark) or the like, it is possible tocause the OS 100 to recognize the storage unit 2 as a readable device.For the OS 100 and the application program 400 in a layer higher thanthe OS 100, the storage unit 2 is seen as if the storage unit 2 is aread only device. Therefore, it is possible to prevent the OS 100 andthe application program 400 from transmitting a write command to thestorage unit 2 by mistake.

Alternatively, when operating in the low reliability state, as storageunit information indicating that the storage unit 2 is a readable onlystorage unit, for example, the control unit 200 can explicitly notifythe CPU 5 that the storage unit 2 is an ATA device. Upon receiving anECh IDENTIFY DEVICE command described in ACS-3 from the CPU 5, thecontrol unit 200 can notify the CPU 5 of information indicating that allwrite functions are not supported.

A method of notifying whether the storage unit 2 is a readable onlystorage unit can take various forms besides the forms explained above.When the CPU 5 receives information indicating that the storage unit 2is a readable only storage unit, the OS 100 applies a driver for a readonly storage unit, for example, an ATAPI read only storage unit asdriver software applied to the storage unit 2. On the OS 100, thestorage unit 2 is recognized as a read only storage unit such as aCD-ROM, a DVD-ROM, or a BD-ROM. For example, as shown in FIGS. 82 and83, it is desirable that the OS 100 explicitly notifies, with icongraphics or the like, through the display device 9, an administrator, anoperator, and a user of the information processing device 111 that thestorage unit 2 is a read only device such as a CD-ROM, a DVD-ROM, or aBD-ROM. When the user attempts to write a file or the like in thestorage unit 2, as shown in FIG. 84, it is more desirable that the OS100 notifies through the display device 9 that the storage unit 2 iswrite-protected.

Even when the CPU 5 and the OS 100 recognize the storage unit 2 as areadable only storage unit, for example, when the OS 100 applies thedriver for a read only storage unit to the storage unit 2, the CPU 5 cantransmit a read command to the storage unit 2. When the CPU 5 transmitsthe read command to the storage unit 2, the control unit 200 transmitsthe read command to the storage unit 2, the control unit 200 receivesread data from the storage unit 2, and the control unit 200 transmitsthe read data to the CPU 5. In this way, the CPU 5 can read data fromthe storage unit 2 irrespective of whether the control unit 200 is inthe normal state or the low reliability state.

In terms of preventing a user data loss due to data breakage or afailure of the storage unit 2, it is desirable that the control unit 200in the low reliability state is configured not to transmit a writecommand to the storage unit 2 at all. However, for example, when it isnecessary to write a part of data such as system information of the OS100 in the storage unit 2, as an exception, the control unit 200 canpermit write of the data in the storage unit 2. However, it is desirablethat a data amount of the write data is sufficiently small compared withthe capacity of the storage unit 2. To prevent the user fromtransmitting a write command by mistake and writing data in the storageunit 2, it is more desirable that, even if a normal write command to thestorage unit 2 is received from the CPU 5, the control unit 200 does nottransmit the write command to the storage unit 2. As an exception, onlywhen it is necessary to write data in the storage unit 2, for example,only when a write command by a special command is received from the CPU5, the control unit 200 transmits the write command to storage unit 2.For example, when a write command such as 35h WRITE DMA EXT or 61h WRITEFPDMA QUEUED described in ACS-3 is used as the normal write command tothe storage unit 2 of the CPU 5, upon receiving a 35h WRITE DMA EXTcommand or a 61h WRITE FPDMA QUEUED command from the CPU 5 as the normalwrite command, the control unit 200 in the normal state transfers thecommand to the storage unit 2. Upon receiving the 35h WRITE DMA EXTcommand or the 61h WRITE FPDMA QUEUED command from the CPU 5 as thenormal write command, the control unit 200 in the low reliability statedoes not transmit the write command to the storage unit 2. On the otherhand, upon receiving a 30h Write Sectors command, a 3Fh Write Log Extcommand, or SCT Command Transport, described in INCITS ACS-3, othervendor unique commands, or the like from the CPU 5 as a special writecommand, the control unit 200 in the low reliability state transfers thecommand to the storage unit 2.

In the above explanation, the information processing system 1 is thecomputer system such as a desktop personal computer or a notebookpersonal computer. However, the information processing system 1 can be,for example, an information processing system including a storagenetwork shown in FIG. 85. In FIG. 85, the storage network 1000 is usedas the interface 19 and the interface 5001 and the network switch 6009is used as the relay unit 5000.

For example, a SAN (Storage Area Network) or a NAS (Network AttachedStorage) is used as the storage network 1000. As the SAN, for example,an FC-SAN (Fibre Channel Storage Area Network) or an IP-SAN (InternetProtocol Storage Area Network) is used. As an upper layer protocol ofthe SAN, for example, a SCSI (Small Computer System Interface) is used.For example, the IP-SAN can be adopted as the storage network 1000. AniSCSI (Internet Small Computer System Interface) can be adopted as anupper layer protocol of the IP-SAN.

The network switch 6009 is a network device configured to connect aplurality of network apparatuses such as clients, servers, and storageunits on the storage network 1000. Upon receiving a packet from anetwork apparatus, the network switch 6009 transmits a reception packetto the network apparatus at a destination based on a destination addressof the reception packet.

The network switch 6009 includes the control unit 200. The control unit200 can be entirely included in the network switch 6009 as shown in FIG.85. Alternatively, a part of the control unit 200 can be included in thenetwork switch 6009 and another part of the control unit 200 can beincluded in the main memory 6 of a client 7000A or a part of the controlunit 200 can be included in the network switch 6009 and another part ofthe control unit 200 can be included in another section in the system 1such as a ROM of the client 7000A. The control unit 200 can beimplemented in a form of firmware or software or can be implemented in aform of hardware.

In the same manner as shown in FIGS. 24 and 29 in the first embodiment,the control unit 200 determines whether one or a plurality of storageunits connected to the storage network 1000 have reached the life end,are about to reach the life end, or are about to fail. When the storageunits have reached the life end, are about to reach the life end, or areabout to fail, the control unit 200 transitions from the normal state tothe low reliability state targeting only a storage unit to be subjectedto life end processing. The normal state and the low reliability stateare modes of the control unit 200 present to correspond to each of oneor a plurality of storage units connected to the storage network 1000.For example, when the storage unit 2A is normal, the control unit 200operates in the normal state, i.e., a mode for the storage unit 2A. Forexample, when the control unit 200 determines that the storage unit 2Ahas reached the life end, is about to reach the life end, or is about tofail or determines that the storage unit 2A is deteriorated inreliability, the control unit 200 operates in the low reliability state,i.e., a mode for the storage unit 2A. Even when the control unit 200transitions from the normal state to the low reliability state targetinga storage unit to be subjected to the life end processing, the controlunit 200 operates in the normal state for a storage unit not to besubjected to the life end processing. As in the first embodiment, thelife end determination is performed at every fixed time, at each fixednumber of kinds of processing, or at each fixed data transmission andreception shown in FIG. 24 or when a command response received from thestorage unit is an error response as shown in FIGS. 29 and 30.

In this embodiment, as an example, two clients 7000A and 7000B and twostorage units 2A and 2B are connected to the storage network 1000.However, other arbitrary configuration can be adopted as theconfiguration of the network apparatuses of the system 1. A server 7000Acan be used instead of the client 7000A. A server 7000B can be usedinstead of the client 7000B. Addresses are respectively allocated to theclient 7000A, the client 7000B, the storage unit 2A, and the storageunit 2B on a storage network. As the addresses, for example, IPaddresses or MAC addresses can be used. For example, when the CPU 5 ofthe client 7000A transmits a command and data designating only theaddress of the storage unit 2A to the storage network 1000, the networkswitch 6009 specifies the storage unit 2A from the address in a packetconfiguring the command and the data. The network switch 6009 transmitsthe packet to only the storage unit 2A. For example, when the storageunit 2A transmits a response and data designating only the address ofthe client 7000A to the storage network 1000, the network switch 6009specifies the client 7000A from the address in a packet configuring theresponse and the data. The network switch 6009 transmits the packet toonly the client 7000A. In the address designation, not only a singlenetwork apparatus but also a plurality of network apparatuses can bedesignated.

When transmitting, for example, storage unit information of the storageunit 2A to, for example, the client 7000A, the control unit 200 switchesthe storage unit information of the storage unit 2A transmitted to theclient 7000A according to whether the mode for the storage unit 2A ofthe control unit 200 is the normal state or the low reliability state.That is, when the mode for the storage unit 2A of the control unit 200is the normal state, the control unit 200 transmits storage unitinformation indicating that storage unit 2A is a readable and writablestorage unit to the client 7000A. When the mode for the storage unit 2Aof the control unit 200 is the low reliability state, the control unit200 transmits storage unit information indicating that the storage unit2A is a readable only storage unit to the client 7000A. The storage unitinformation of the storage unit 2A is transmitted to the client 7000B aswell in the same manner. Storage unit information of the storage unit 2Bis also transmitted to the client 7000A and the client 7000B in the samemanner.

As explained above, in this embodiment, when the control unit 200determines that the storage unit 2 has reached the life end, is about toreach the life end, or is about to fail or determines that the storageunit 2 is deteriorated in reliability, the control unit 200 processes orgenerates storage unit information of the storage unit 2 transmitted tothe CPU 5 to thereby cause the CPU 5 and the OS 100 to recognize thatthe storage unit is a readably only storage unit. Consequently, it ispossible to prevent data write in the storage unit 2. Processing forrecognizing that the storage unit 2 is a readable only storage unit isperformed in a lower software layer such as the OS 100. Therefore, anupper software layer such as the application program 400 and the userdoes not need to perform special control of the storage unit 2.

While certain embodiments have been described, these embodiments havebeen presented by way of example only, and are not intended to limit thescope of the inventions. Indeed, the novel embodiments described hereinmay be embodied in a variety of other forms; furthermore, variousomissions, substitutions and changes in the form of the embodimentsdescribed herein may be made without departing from the spirit of theinventions. The accompanying claims and their equivalents are intendedto cover such forms or modifications as would fall within the scope andspirit of the inventions.

What is claimed is:
 1. A method of controlling an information processingdevice connectable to a first storage unit, a second storage unit and adata migration log area, the first storage unit including a readable andwritable first memory, the second storage unit including a readable andwritable second memory, the method comprising: executing firstprocessing for determining a storage status of the first storage unitbased on reliability information acquired from the first storage unit;executing second processing for, when the storage status of the firststorage unit is recognized as a protected state by the first processing,executing write on only the second storage unit of the first and secondstorage units, executing read on one of the first and second storageunits based on an address recorded in the data migration log area; andexecuting third processing for, when the storage status of the firststorage unit is not recognized as the protected state by the firstprocessing, executing read data from the first storage unit.
 2. Themethod of controlling the information processing device according toclaim 1, further comprising executing fourth processing for recording anaddress of data written in the second storage unit in the data migrationlog area according to the write by the second processing.
 3. The methodof controlling the information processing device according to claim 1,comprising, in the third processing, executing read data from the firststorage unit without reading from the data migration log area.
 4. Themethod of controlling the information processing device according toclaim 1, comprising comparing of the reliability information and athreshold in the first processing, and, when it is determined based onthe comparison that a life end condition of the first storage unit ismet, determining that the storage status of the first storage unit isthe protected state.
 5. The method of controlling the informationprocessing device according to claim 1, comprising in the thirdprocessing, when the storage status of the first storage unit isrecognized as a low reliability state by the first processing,recognizing that the second storage unit is in a data migrationdestination state of data stored in the first storage unit and changingthe storage status of the first storage unit to the protected state. 6.The method of controlling the information processing device according toclaim 2, comprising in the fourth processing, managing the addresses ofthe stored data in the first and second storage units such that data ofa same address is present in one of the first and second storage units.7. The method of controlling the information processing device accordingto claim 6, comprising, in the fourth processing, when the storagestatus of the first storage unit is recognized as the protected state,recognizing the first storage unit and the second storage unit as a samelogical unit.
 8. The method of controlling the information processingdevice according to claim 7, wherein the information processing deviceis connectable to one or a plurality of third storage units includingreadable and writable third memories, and the method further comprisingexecuting fifth processing for controlling the one or plurality of thirdstorage units and the first storage unit to configure a RAID andcontrolling, when the storage status of the first storage unit isrecognized as the protected state, the one or plurality of third storageunits and the logical unit to configure the RAID.
 9. The method ofcontrolling the information processing device according to claim 5,comprising, in the first processing, performing the comparison of thereliability information and the threshold and, when it is determinedbased on the comparison that a life end condition of the first storageunit is met, determining that the storage status of the first storageunit is the low reliability state.
 10. The method of controlling theinformation processing device according to claim 1, comprising, in thesecond processing, writing data read from the first storage unit in thesecond storage unit in parallel to the read processing.
 11. The methodof controlling the information processing device according to claim 1,comprising, in the second processing, reading data from the secondstorage unit when a read target address is recorded in the datamigration log area and reading data from the first storage unit when theread target address is not recorded in the data migration log area. 12.The method of controlling the information processing device according toclaim 2, wherein the information processing device is connectable to ametadata storing unit configured to store metadata, the methodcomprising in the fourth processing, recording, when it is determined bythe first processing that the storage status of the first storage unitis not the protected state, in the metadata, a mapping from an addressof data written in the first storage unit to the first storage unit andrecording, when it is determined by the first processing that thestorage status of the first storage unit is the protected state, in themetadata, a mapping from an address of data written in the secondstorage unit to the second storage unit, and in the second processing,in read processing, reading the data from the first storage unit when amapping from a read target address to the first storage unit is recordedin the metadata and reading the data from the second storage unit when amapping from the read target address to the second storage unit isrecorded in the metadata.
 13. The method of controlling the informationprocessing device according to claim 2, further comprising executingsixth processing for, when it is determined by the first processing thatthe storage status of the first storage unit is the protected state,storing first metadata stored in the first storage unit in the secondstorage unit as second metadata and managing the addresses of the storeddata in the first and second storage units using the second metadata,and in the fourth processing, recording, when it is determined by thefirst processing that the storage status of the first storage unit isnot the protected state, in the first metadata, a mapping from anaddress of data written in the first storage unit to the first storageunit and recording, when it is determined by the first processing thatthe storage status of the first storage unit is the protected state, inthe second metadata, a mapping from an address of data written in thesecond storage unit to the second storage unit.
 14. The method ofcontrolling the information processing device according to claim 1,further comprising executing eighth processing for, after it isdetermined by the first processing that the storage status of the firststorage unit is the protected state, when a deletion processing commandfor data stored in the first storage unit is received, recording anaddress of a deletion target data by the deletion processing command inthe data migration log area.
 15. The method of controlling theinformation processing device according to claim 1, further comprisingexecuting ninth processing for selecting data to be migrated to thesecond storage unit among data written in the first storage unit and,when all addresses corresponding to the data to be migrated are storedin the data migration log area, ending the protected state of the firststorage unit.
 16. The method of controlling the information processingdevice according to claim 1, wherein the data migration log area isstored in the second storage unit.
 17. The method of controlling theinformation processing device according to claim 1, wherein theinformation processing device further comprising a fourth memory, andwherein the data migration log area is stored in the fourth memory. 18.The method of controlling the information processing device according toclaim 2, comprising, in the fourth processing, in recording a firstaddress in the data migration log area, when a second addressoverlapping the first address or continuous to the first address isalready stored in the data migration log area, recording a third addressobtained by combining the first address and the second address in thedata migration log area and invalidating the second address.
 19. Themethod of controlling the information processing device according toclaim 1, further comprising executing tenth processing for, when thestorage status of the first storage unit is not recognized as theprotected state by the first processing, erasing the data migration logarea.
 20. The method of controlling the information processing deviceaccording to claim 1, wherein the information processing device isconnectable to the first storage unit through a relay unit, and themethod comprising when storage unit information is received from therelay unit, determining, in the first processing, that the state of thefirst storage unit is the protected state, the storage unit informationindicating that the first storage unit is a storage unit that supportsonly a read operation of read and write operations.